×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jhuxley
Engager
Member since: ‎08-10-2016
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎08-10-2016
Activity Feed
View All

Re: Extract both single-value and multivalue field...

by in Splunk Search
‎08-11-2017 01:41 AM
‎08-11-2017 01:41 AM
thanks @somesoni2 you put me on the right track, I changed my regex to extract all the a1-a99 paramters into a single field (args) and then ran a 2nd rex against that to extract them parameters into a multivalues field ... View more

Extract both single-value and multivalue fields us...

by in Splunk Search
‎08-09-2017 09:43 AM
‎08-09-2017 09:43 AM
I seem to be unable to comment on the similar questions, but as they haven't answered my question, here I go. With the event node=hostname a0=first a1=second a2=third a3=fourth using rex rex max_match=0 field=_raw "node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+) a[1-9]=(?<args>[^\s]+)" returns node, cmd and only 1 args but rex max_match=0 field=_raw "a[1-9]=(?<args>[^\s]+)" returns all the args Is there are way to achieve the former with args as a multivalue field? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All