regex stops at first match

mmdacutanan · ‎05-14-2014

I've got a regex that seems to stop at first occurence per line. I am using the 'field extraction' function.
My regexes are:
("(?P\w{1,3}),\d{8},\d{6}.?")+
("((\w+)?,){4}(?P\w),.?")+

Sample data:
["PE,20140512,234402,,X,0.00,0,0", "PE,20140512,234402,W4325,H,0.00,0,0"]

Actual results:
First regex captures first match which is 'PE' . I see count of one in field discover.
Second regex captures first match which is 'X'. I see a count of one in field discovery.

Expected:
Capture PE and show count of 2.
Caputre X and show count of 1.
Capture H and show count of 1.

martin_mueller · ‎05-14-2014

Move your extraction to transforms.conf, set MV_ADD = true, refer to the stanza in props.conf with REPORT-foo - see http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/transformsconf for reference.

martin_mueller · ‎05-15-2014

After defining the field transforms you need to reference it in a field extraction, select "uses transforms" instead of the "inline" setting you've been using so far.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Managesearch-timefieldextractions#Type_c...

mmdacutanan · ‎05-15-2014

hi Martin! thank you for the suggestion. I can only access splunk thru splunk web. I do see a field transformation page there. I have never used this before (i have only used field extraction so far) and I am sort of learning on my own. So after I define the new transform, how do I access it exactly when I run my query/search?
Thanks!

regex stops at first match

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!