×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bkchung
New Member
Member since: ‎10-06-2014
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-06-2014
Activity Feed
View All

Re: How to extract fields at search-time from a mu...

by in Splunk Search
‎10-08-2014 03:33 PM
‎10-08-2014 03:33 PM
Got your point. Yes, "wp" will be "somevalues" assuming that "something" is "\w+". But this, I would need to rewrite the regex to parse the query strings case by case rather than rely on the existing auto field extraction to treat multivalue cases which is useful if you don't know the fields and presumed values. I was thinking there might be a workaround to do that with "fields + wp" (also for performance). ... View more

Re: How to extract fields at search-time from a mu...

by in Splunk Search
‎10-08-2014 02:39 PM
‎10-08-2014 02:39 PM
I did try max_match=0 but it didn't work for me. ... View more

How to extract fields at search-time from a multiv...

by in Splunk Search
‎10-07-2014 04:01 PM
‎10-07-2014 04:01 PM
Using sourcetype="localapache", extracting fields from the following event only recognizes somevalues but not somevalues2: ::1 - - 2014-10-03 16:10:27.444 Pacific Daylight Time 80 "GET /blah?wp={somevalues}&wp={somevalues2}&more={someother} HTTP/1.1" "-" 204 - "-" 1000 I'm doing the following: sourcetype="localapache" source=access "GET /blah" | fields + wp | rex fields = wp "{...(?<something>...}" | table wp, something Both the names of the pair is "wp". Is there any workaround for this? (Edited some formatting problems with amp,gt,lt, etc.) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM