Solved: where can i set max_match option ?

rakesh_498115 · ‎02-12-2013

Hi ..

For all the regular expression fields created using rex command , there is option called max_match to match all the occurrences of the rex field. Can i know where we will define this option ..to reflect to all the rex fields..

In my props.conf..
i have something like this

EXTRACT-myapps:(?[^<]*)<

So for this field ProductName i want to increase the max_match count or i need to keep max_match = 0 to match all the occurences possible....
Query used with max_match :

sourcetype="myapps" | rex max_match=0 "(?[^<]*)<" | top ProductName

If i give it query its working but i need to know whether i can give in my conf files..please help..

jonuwz · ‎02-12-2013

You can't.

You need to move the extraction to transforms.conf, and specify MV_ADD=true

I dont think you can specify a max_matches, it'll just find them all.

docs

View solution in original post

jonuwz · ‎02-12-2013

You can't.

You need to move the extraction to transforms.conf, and specify MV_ADD=true

I dont think you can specify a max_matches, it'll just find them all.

docs

rakesh_498115 · ‎02-15-2013

yeah its really.. 🙂

jonuwz · ‎02-15-2013

good man. the world of transform opens up a world of possibilities

rakesh_498115 · ‎02-15-2013

Thanks jonuwz..I finally managed to get it...:)

jonuwz · ‎02-12-2013

You try it, and if you get stuck, post what you tried, and why it didn't work.

rakesh_498115 · ‎02-12-2013

oh..in that case can you transform my rex above to transforms.conf pls..

where can i set max_match option ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?