Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex stops at first match

mmdacutanan
Explorer
‎05-14-2014 04:34 PM

I've got a regex that seems to stop at first occurence per line. I am using the 'field extraction' function.
My regexes are:
("(?P\w{1,3}),\d{8},\d{6}.?")+
("((\w+)?,){4}(?P\w),.?")+

Sample data:
["PE,20140512,234402,,X,0.00,0,0", "PE,20140512,234402,W4325,H,0.00,0,0"]

Actual results:
First regex captures first match which is 'PE' . I see count of one in field discover.
Second regex captures first match which is 'X'. I see a count of one in field discovery.

Expected:
Capture PE and show count of 2.
Caputre X and show count of 1.
Capture H and show count of 1.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2014 05:36 PM

Move your extraction to transforms.conf, set MV_ADD = true, refer to the stanza in props.conf with REPORT-foo - see http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/transformsconf for reference.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-15-2014 02:49 PM

After defining the field transforms you need to reference it in a field extraction, select "uses transforms" instead of the "inline" setting you've been using so far.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Managesearch-timefieldextractions#Type_c...

0 Karma
Reply

mmdacutanan
Explorer
‎05-15-2014 12:55 PM

hi Martin! thank you for the suggestion. I can only access splunk thru splunk web. I do see a field transformation page there. I have never used this before (i have only used field extraction so far) and I am sort of learning on my own. So after I define the new transform, how do I access it exactly when I run my query/search?
Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...