Solved: Re: How to repeat a regex to match more than one i...

att35 · ‎02-02-2024

Hi,

We are using following regex to capture "caused by" exceptions within java stack trace.

Caused by: (?P<Exception>[^\r\n]+)

When testing in regex101, it seems to be working well. Captures both instances of "caused by" in the sample trace.

https://regex101.com/r/yL1ucO/1

But when used with EXTRACT within props.conf, Splunk only gets the first instance, i.e. "SomeException". 2nd occurrence, "AnotherException" is not captured.

Should I be using REPEAT_MATCH with transforms stanza, or is there a way to fix this within props itself?

PickleRick · ‎02-02-2024

Yes. The additional options are one of the reasons for using TRANSFORM-based exractions instead of REPORT.

Notice, however, that REPEAT_MATCH is for index-time extractions. You might want to consider MV_ADD

View solution in original post

PickleRick · ‎02-02-2024

Yes. The additional options are one of the reasons for using TRANSFORM-based exractions instead of REPORT.

Notice, however, that REPEAT_MATCH is for index-time extractions. You might want to consider MV_ADD

How to repeat a regex to match more than one instances

regex

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?