Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you use rex's max_match option?

cfergus
Path Finder
‎04-09-2010 07:02 PM

At search time, I want to extract multivalued fields. The docs for rex say to use the max_match option.

Example: I want to have a multivalued field containing all hyphenated words in an event.

So for this data:

data one-fish two-fish red-fish rock-fist

My resulting field should be 'hyphenated', with the value of 'one-fish,two-fish,red-fish,rock-fist' (or however it's represented)

My search to extract this field should look like this:

search * | rex field=_raw "(?<hyphenated>\S+\-\S+) max_match=10

This results in "Error in 'rex' command: Invalid argument: 'max_match=10'

Tried this in 4.0.3 and 4.0.7 with no luck. Is this option bogus?

Tags (1)
Reply

dkeesling
Explorer
‎09-26-2016 12:27 PM

You need to end your "quotation marks" then max match
I think max_match only works outside of the actual rex statement.

Example Event1: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Dead:/color1}
Example Event2: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Alive:/color2}
Example Event3: 2016-09-22 14:14:34,029 INFO [GOONIES_CHARACTERS-V1] org.goonies.com.babyruth.logger {CHUNK_STATUS=Harm:/color3}

index=CHOCOLATE GOONIES_CHARACTERS CHUNK_STATUS=*
| rex "CHUNK_STATUS={(?[a-zA-Z0-9;:. /-]+)}" max_match=100
| table CHNK_STAT _raw

This should put the 3 statsus in a table with the raw event next to it.

Im on splunk 6.3 - hope this helped!

Snoochie Boochies!

Reply

yoho
Contributor
‎07-12-2019 02:19 AM

I downvoted this post because i upvoted it but it's actually a bad answer

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-09-2010 08:16 PM

No it is not. It works as documented for me in 4.0.9 and 4.0.10. It appears that it

It looks to me unless you just had a transcription error that you are missing your closing double-quote after your regex though.

Update: It is not in 4.0.3, and the online docs are incorrect if they state they are. (The in-product help, however, is correct and does list all available options in that version, so in case of conflict, go with the in-product help.)

Reply

sbsbb
Builder
‎05-02-2013 02:07 AM

By me on 4.3.3 it doesn't work as designed
max_match=100 is working
but
max_match=0 doesn't work, return no result, in place of unlimited.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...