multiline match for same pattern

tven · ‎04-12-2012

<Product>
 <ProductName>(\w+)</ProductName>
 <ProductName>(\w+)</ProductName>
 <ProductName>(\w+)</ProductName>
</Product>

How do i capture all the product name when the number of ProductName elements is variable? And not sure how to assign the group capture to a named variable when you have 0 or more ProductNames.

index=xyz sourcetype=abc |rex "(?s)<ProductName>(?P<product_sku>\w+)</ProductName>" captures one occurence.

kristian_kolb · ‎04-12-2012

Have you looked at MV_ADD=true in order to get more than the last value?

Basically, you need to do the following changes/additions on your search head, or on your indexer if you don't have a dedicated search head;

in props.conf

[your_xml_sourcetype]
REPORT-gimme_codes = prod_code_extraction

in transforms.conf

[prod_code_extraction]
REGEX = <ProductName>([^<]+)<
FORMAT = product_sku::$1
MV_ADD = True

Hope this helps,

Kristian

multiline match for same pattern

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

multiline match for same pattern

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25