Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex multiple matches in single event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I using a query :
index=abc source="unknown.log" "192.0.44.13" | rex "Value 0: (?<device>.*)" | rex "Value 1: (?<ip>.*)" | stats count by device ip
And this gives me only 2 results whereas i have multiple results.
The only problem is all the matches are in single event. which looks like below.
Wed Aug 21 18:34:57 2019: Unknown trap abc at:
Value 0: abc
Value 1: 192.2.86.53
Value 2:
Value 3:
Value 4:
Value 5:
Value 6:
Value 7:
Value 8:
Value 9:
Value 10:
Wed Aug 21 18:34:57 2019: Unknown trap abc at:
Value 0: xyz
Value 1: 192.2.87.42
Value 2:
Value 3:
Value 4:
Value 5:
Value 6:
Value 7:
Value 8:
Value 9:
Value 10:
As you can see here since the at the same time events occur they get merged to a single even and i want all the matches for "Value 0:" and "Value 1:" from the single event.
The query which i have pasted works and fetches me only the first match not all.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try
index=abc source="unknown.log" "192.0.44.13" | rex max_match=0 "Value 0: (?<device>.*)" | rex max_match=0 "Value 1: (?<ip>.*)" | stats count by device ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi surekhasplunk,
is it possible for you divide your event in different ones? they seem to be different events.
Anyway, you can extract more values for each field but all the values are in the same field, you haven't different rows, so when you try to use stats you haven't a count for each value.
in other words, you'll have something like this
_time message Value_0 Value_1
Wed Aug 21 18:34:57 2019 Unknown trap abc at abc 192.2.86.53
Wed Aug 21 18:34:57 2019 Unknown trap abc at xyz 192.2.87.42
but both the values are in the same field value, this means that you have to use also mvexpand command.
Try something like this:
index=abc source="unknown.log" "192.0.44.13"
| rex max_match=0 "Value 0: (?<device>.*)"
| rex max_match=0 "Value 1: (?<ip>.*)"
| mvexpand device
| mvexpand ip
| stats count by device ip
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try
index=abc source="unknown.log" "192.0.44.13" | rex max_match=0 "Value 0: (?<device>.*)" | rex max_match=0 "Value 1: (?<ip>.*)" | stats count by device ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @harsmarvania57
It worked like magic but whats the logic behind using it ? Can you please explain.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
max_match=0 in rex command will match same regex N number of times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok... thanks a ton 🙂 @harsmarvania57
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
