Splunk Search

Using rex to extract multivalue fields from events, why is it only extracting the first record of values?

chimell
Motivator

Hi everyone,

I want to extract a record of values:

I tried with this regex, but it is only extracting the first record:

rex "\s+(?P\S+)\s+(?P\d+)\s+(?P\d+\.\d+)\s+(?P\d+\.\d+)\s+(?P\d+)\s+(?P\d+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)"

I need your help. The following is my sample data:

"================================================================ "
"98 Processes at: 2015-04-08T19:14:13.270 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 19488 1632 ? Ss Mar04 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S Mar04 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Mar04 1:35 [rcu_sched] root 8 0.0 0.0 0 0 ? S Mar04 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S Mar04 0:01 [migration/0] root 10 0.0 0.0 0 0 ? S Mar04 0:01 [migration/1] root 11 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/1] root 13 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/1:0H] root 14 0.0 0.0 0 0 ? S Mar04 0:04 [migration/2] root 15 0.0 0.0 0 0 ? S Mar04 0:03 [ksoftirqd/2] root 17 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/2:0H] root 18 0.0 0.0 0 0 ? S Mar04 0:05 [migration/3] root 19 0.0 0.0 0 0 ? S Mar04 0:04 [ksoftirqd/3] root 21 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/3:0H] root 22 0.0 0.0 0 0 ? S< Mar04 0:00 [khelper]
"================================================================ "

I need to extract from this sample data all the following fields for each record:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

for example the first and the 2nd record should be:

USER  PID  %CPU  %MEM   VSZ   RSS   TTY  STAT  START  TIME  COMMAND
root   1    0.0   0.0  19488  1632   ?    Ss   Mar04  0:01  /sbin/init
root   2    0.0   0.0    0     0     ?    S    Mar04  0:00  [kthreadd]

THANKS

1 Solution

fdi01
Motivator

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...

View solution in original post

fdi01
Motivator

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...