Solved: Need some help with a repeating regex

mw · ‎12-12-2010

I have an event with a field like this: ids="ID-120-1, ID-141-5, ID-92-5, N/A"

I'd like to extract the field and only keep IDs (i.e. I don't want the "N/A" value).

I have a transforms entry like this:

[mv-ids]
REGEX = \bid=\"(?<id>(ID-\d+-\d+)+)
MV_ADD = true

and my props.conf

[mysourcetype]
REPORT-ids = mv-ids

This isn't working as I would hope though. I'm only getting the first ID. What do I need to do to get all of the IDs added to the id field?

mw · ‎12-13-2010

Looks like this is the solution: http://answers.splunk.com/questions/9853/multivalue-field-regex-question/9875#9875

View solution in original post

mw · ‎12-13-2010

Looks like this is the solution: http://answers.splunk.com/questions/9853/multivalue-field-regex-question/9875#9875

jamesdon · ‎12-12-2010

I don't think you need the last plus sign.

Try:

REGEX = \bid=\"(?<id>(ID-\d+-\d+))
FORMAT = mv-id::$1

Jim

mw · ‎12-12-2010

That doesn't seem to work. I end up with 1 entry in the field and it's the entire string. Oh, I was so hopeful. I'm about to put my head through a wall. 🙂

Need some help with a repeating regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!