Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using rex to extract multivalue fields from events, why is it only extracting the first record of values?

chimell
Motivator
‎04-09-2015 03:15 AM

Hi everyone,

I want to extract a record of values:

I tried with this regex, but it is only extracting the first record:

rex "\s+(?P\S+)\s+(?P\d+)\s+(?P\d+\.\d+)\s+(?P\d+\.\d+)\s+(?P\d+)\s+(?P\d+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)\s+(?P\S+)"

I need your help. The following is my sample data:

"================================================================ "
"98 Processes at: 2015-04-08T19:14:13.270 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 19488 1632 ? Ss Mar04 0:01 /sbin/init root 2 0.0 0.0 0 0 ? S Mar04 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S Mar04 1:35 [rcu_sched] root 8 0.0 0.0 0 0 ? S Mar04 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S Mar04 0:01 [migration/0] root 10 0.0 0.0 0 0 ? S Mar04 0:01 [migration/1] root 11 0.0 0.0 0 0 ? S Mar04 0:18 [ksoftirqd/1] root 13 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/1:0H] root 14 0.0 0.0 0 0 ? S Mar04 0:04 [migration/2] root 15 0.0 0.0 0 0 ? S Mar04 0:03 [ksoftirqd/2] root 17 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/2:0H] root 18 0.0 0.0 0 0 ? S Mar04 0:05 [migration/3] root 19 0.0 0.0 0 0 ? S Mar04 0:04 [ksoftirqd/3] root 21 0.0 0.0 0 0 ? S< Mar04 0:00 [kworker/3:0H] root 22 0.0 0.0 0 0 ? S< Mar04 0:00 [khelper]
"================================================================ "

I need to extract from this sample data all the following fields for each record:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

for example the first and the 2nd record should be:

USER  PID  %CPU  %MEM   VSZ   RSS   TTY  STAT  START  TIME  COMMAND
root   1    0.0   0.0  19488  1632   ?    Ss   Mar04  0:01  /sbin/init
root   2    0.0   0.0    0     0     ?    S    Mar04  0:00  [kthreadd]

THANKS

Reply
1 Solution
Solved! Jump to solution
Solution

fdi01
Motivator
‎04-09-2015 05:12 AM

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...

View solution in original post

Reply
Solved! Jump to solution
Solution

fdi01
Motivator
‎04-09-2015 05:12 AM

If you check out the doc on the rex command you'll see that max_match= Controls the number of times the regex is matched. If greater than 1, the resulting fields will be multivalued fields. Defaults to 1, use 0 to mean unlimited.
try like this:

...| rex max_match=0 field=_raw "\s+(?P<User>\S+)\s+(?P<Pid>\d+)\s+(?P<Cpu>\d+\.\d+)\s+(?P<Mem>\d+\.\d+)\s+(?P<Vsz>\d+)\s+(?P<Rss>\d+)\s+(?P<Tty>\S+)\s+(?P<Stat>\S+)\s+(?P<Start>\S+)\s+(?P<Time>\S+)\s+(?P<Command>\S+)"  |...
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...