Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex multivalue grouping
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I am pretty new to regex and need help with getting repeated values from one event (record).
Splunk is showing one event "EventType" as below
00:00:00:000,210234,ABCMachineIdleState,0;00:00:03:280,210235,ABCClientSelection,1;00:00:04:050,210236,ABCClientVerification,4;00:00:06:550,210237,ABCClientAuthorisation,4;00:00:07:780,210238,ABCClientBookSelection,0;00:01:09:050,210239,ABCClientDateSelection,0;00:01:10:660,210240,ABCClientLocationSelection,0;00:01:12:230,210241,ABCClientRequestReview,0;00:01:14:740,210242,ABCClientRequestConfirmation,4;00:01:16:420,210243,ABCClientSubmitRequst,0;00:01:28:770,210244,ABCClientRequestResultDisplay,4;
New record...."
The above record contains time as (hh:mm:ss:ms), ReferenceNumber, ActionType,Status.
I have regex constructed as below:
"\.?(?\d\d\:\d\d\:\d\d\:\d\d\d)*(?\d\d\d\d)*(?<SubCategory>ABC\w*)*(?\d)?"
The above query will only capture the first instance for each record and each field:
"00:00:00:000,210234,MachineIdleState,0;"
BUT what I need is to capture all of the following ActionTypes from each record. I guess what I need is some sort of loop to capture all fields and its corresponding values within the record.
Please bear in mind that I will need to create these new fields in the dataModel.
Any help will be much appreciated!
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Out of curiosity, why don't you separate your events first using split and then capture the values you need?
Something like:
| eval NewEventType = split(EventType, ";")
| mvexpand NewEventType
| rex field=NewEventType "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Or alternatively you could multi match:
| rex field=EventType max_match=0 "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Let me know if that works. Keep in mind I haven't tested it so there might be typos, but it should be enough to help you understand the logic.
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Out of curiosity, why don't you separate your events first using split and then capture the values you need?
Something like:
| eval NewEventType = split(EventType, ";")
| mvexpand NewEventType
| rex field=NewEventType "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Or alternatively you could multi match:
| rex field=EventType max_match=0 "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Let me know if that works. Keep in mind I haven't tested it so there might be typos, but it should be enough to help you understand the logic.
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kakarsu, did the above work you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @javiergn it did the trick. Much appreciated mate!
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know
October Community Champions: A Shoutout to Our Contributors!
