About Phil_S

Phil_S · ‎09-15-2022

It doesn't matter if the number of values is variable, in that as long as you have enough 1 2 3 4 etc to handle the max you will ever see, that's fine. Perfect, that works for me. Thanks!!

Phil_S · ‎09-14-2022

Thanks! This is a huge step forward. Unfortunately, the number of items is variable. Is there a way I can rebuild the loop using mvcount() or somethink like that? foreach 0...mvcount(field_name) Something like the above? Appreciate your help so far!

Phil_S · ‎09-14-2022

Hi All, I have a search which parses key/value pairs out of a strangely-formatted XML field. rex field=xml "<N>(?<field_name>(.*?))</N><V>(?<field_value>(.*?))<" | eval {field_name}=field_value Above, when there is a single match, this works as expected. I have the field name and the field value available as a field in my results. What I don't know how to do, is make this work for multiple matches. When I run: rex field=xml max_match=0 "<N>(?<field_name>(.*?))</N><V>(?<field_value>(.*?))<" | eval {field_name}=field_value Then both field_name and field_value are multi-value fields. I would like to make each key=value available in the results as I did above. Can anyone give me a pointer on how to accomplish this? Thanks.

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎09-14-2022

Online Status	Offline
Date Last Visited	‎09-15-2022 05:57 AM

Help with rex and multi-value fields, assigning ke...

Re: rex and multi-value fields, assigning key valu...

Re: rex and multi-value fields, assigning key valu...

Help with rex and multi-value fields, assigning ke...

Are you a member of the Splunk Community?

Help with rex and multi-value fields, assigning ke...

Re: rex and multi-value fields, assigning key valu...

Re: rex and multi-value fields, assigning key valu...

Help with rex and multi-value fields, assigning ke...