Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex multivalue grouping
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I am pretty new to regex and need help with getting repeated values from one event (record).
Splunk is showing one event "EventType" as below
00:00:00:000,210234,ABCMachineIdleState,0;00:00:03:280,210235,ABCClientSelection,1;00:00:04:050,210236,ABCClientVerification,4;00:00:06:550,210237,ABCClientAuthorisation,4;00:00:07:780,210238,ABCClientBookSelection,0;00:01:09:050,210239,ABCClientDateSelection,0;00:01:10:660,210240,ABCClientLocationSelection,0;00:01:12:230,210241,ABCClientRequestReview,0;00:01:14:740,210242,ABCClientRequestConfirmation,4;00:01:16:420,210243,ABCClientSubmitRequst,0;00:01:28:770,210244,ABCClientRequestResultDisplay,4;
New record...."
The above record contains time as (hh:mm:ss:ms), ReferenceNumber, ActionType,Status.
I have regex constructed as below:
"\.?(?\d\d\:\d\d\:\d\d\:\d\d\d)*(?\d\d\d\d)*(?<SubCategory>ABC\w*)*(?\d)?"
The above query will only capture the first instance for each record and each field:
"00:00:00:000,210234,MachineIdleState,0;"
BUT what I need is to capture all of the following ActionTypes from each record. I guess what I need is some sort of loop to capture all fields and its corresponding values within the record.
Please bear in mind that I will need to create these new fields in the dataModel.
Any help will be much appreciated!
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Out of curiosity, why don't you separate your events first using split and then capture the values you need?
Something like:
| eval NewEventType = split(EventType, ";")
| mvexpand NewEventType
| rex field=NewEventType "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Or alternatively you could multi match:
| rex field=EventType max_match=0 "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Let me know if that works. Keep in mind I haven't tested it so there might be typos, but it should be enough to help you understand the logic.
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Out of curiosity, why don't you separate your events first using split and then capture the values you need?
Something like:
| eval NewEventType = split(EventType, ";")
| mvexpand NewEventType
| rex field=NewEventType "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Or alternatively you could multi match:
| rex field=EventType max_match=0 "(?<Time>[^\,]+)\,(?<ReferenceNumber>[^\,]+)\,(?<ActionType>[^\,]+)\,(?<Status>[^\,]+);"
Let me know if that works. Keep in mind I haven't tested it so there might be typos, but it should be enough to help you understand the logic.
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kakarsu, did the above work you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @javiergn it did the trick. Much appreciated mate!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
