Splunk Search

Using rex to extract multivalue fields from events, why is it only extracting the first record of values?

Motivator

Hi everyone,

I want to extract a record of values:

I tried with this regex, but it is only extracting the first record:

rex "\s+(?P\S+)\s+(?P\d+)\s+(?P\d+\.\d+)\s+(?P\d+\.\d+)\s+(?P\d+)\s+(?P\d+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)"

I need your help. The following is my sample data:

"================================================================ "
"98 Processes at: 2015-04-08T19:14:13.270 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 19488 1632 ? Ss Mar04 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S Mar04 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Mar04 1:35 [rcu_sched] root 8 0.0 0.0 0 0 ? S Mar04 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S Mar04 0:01 [migration/0] root 10 0.0 0.0 0 0 ? S Mar04 0:01 [migration/1] root 11 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/1] root 13 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/1:0H] root 14 0.0 0.0 0 0 ? S Mar04 0:04 [migration/2] root 15 0.0 0.0 0 0 ? S Mar04 0:03 [ksoftirqd/2] root 17 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/2:0H] root 18 0.0 0.0 0 0 ? S Mar04 0:05 [migration/3] root 19 0.0 0.0 0 0 ? S Mar04 0:04 [ksoftirqd/3] root 21 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/3:0H] root 22 0.0 0.0 0 0 ? S< Mar04 0:00 [khelper]
"================================================================ "

I need to extract from this sample data all the following fields for each record:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

for example the first and the 2nd record should be:

USER  PID  %CPU  %MEM   VSZ   RSS   TTY  STAT  START  TIME  COMMAND
root   1    0.0   0.0  19488  1632   ?    Ss   Mar04  0:01  /sbin/init
root   2    0.0   0.0    0     0     ?    S    Mar04  0:00  [kthreadd]

THANKS

1 Solution

Motivator

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...

View solution in original post

Motivator

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...

View solution in original post