Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex - multiple matches and using |

jshaynes
Explorer
‎12-12-2011 03:43 PM

I'm trying to run several field extractions using the rex command. Here is a sample log format:

ironportmail: Info: MID 42342 ICID 1234 From: xyz@yyx.com
ironportmail: Info: MID 42342 ICID 1234 To: abc@def.com

I'd like to extract the MID, ICID, From and To fields using just one rex command. (This is so I can wrap an eventtype around it.)

Conceptually I'm looking for something like this, but havent been able to get it to work:

rex field=_raw "MID (?[^ ]+) | ICID (?[^ ]+) | From: <(?[^>]+)> | To: <(?[^>]+)"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2011 12:22 AM

I think you'd be better off putting this in props.conf / transforms.conf instead so you won't have to specify your field extractions explicitly in each search that you want to use these fields.

That said, this will work, though with a caveat:

... | rex field=_raw max_match=10 "(?:MID (?<mid>[^ ]+)|ICID (?<icid>[^ ]+)|From: <(?<mailfrom>[^>]+)>|To: <(?<mailto>[^>]+))"

The caveat being that you will need to provide rex with a max_match (default is 1), otherwise it will stop once it finds its first match.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-13-2011 12:22 AM

I think you'd be better off putting this in props.conf / transforms.conf instead so you won't have to specify your field extractions explicitly in each search that you want to use these fields.

That said, this will work, though with a caveat:

... | rex field=_raw max_match=10 "(?:MID (?<mid>[^ ]+)|ICID (?<icid>[^ ]+)|From: <(?<mailfrom>[^>]+)>|To: <(?<mailto>[^>]+))"

The caveat being that you will need to provide rex with a max_match (default is 1), otherwise it will stop once it finds its first match.

Reply
Solved! Jump to solution

jshaynes
Explorer
‎12-13-2011 10:51 AM

couple of follow up questions:

  1. what does the ?: at the beginning do. the query seems to work fine without it
  2. any way to prevent all of the empty matches that get returned as a result of changing max_match?

ex, I get a bunch of empty mailfrom, mailto, etc. fields since they don't all occur on every line:

sample field list from search results:
mailfrom="" | mailfrom="" | mailfrom="" | mailfrom=""abc@bvd.com" | mailto="" | mailto="" | mailto="xyz@abc.com" | ... etc

0 Karma
Reply
Solved! Jump to solution

jshaynes
Explorer
‎12-13-2011 10:44 AM

awesome, that did it. thanks.

the reason im running these inline is because I am searching off of a summary index. those fields do already get extracted automatically for regular searches, but since the fields get dropped after doing a " | collect index=summary", im having to recreate them.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...