Hi @pwmcity, thank you very much for this. I'll be able to work with this.

Many thanks and kind regards

Chris

Did it work? What's the error?

regex appears to work: https://regex101.com/r/uP9iB9/1

Hi intially, I received an unbalanced quotes error message, so I inserted a " at the end of the regex which removed the error.

I then add | stats count by empRef to the end of the search because I am just wanting to create a list of the empRef field values, and although the search runs and the events are shown, no list is being created.

My apologies for the novice type problem.

Many thanks and kind regards

Chris

Hi I'm not sure whether this is of help, but I've managed to get the 'Field Extractor' working and have come up with the following:

 (?=[^e]*(?:empRef|e.*empRef))^(?:[^\\\n]*\\){7}"(?P<REF>[^\\]+)

The problem I have is that I'm not sure how to incorporate this into my search.

I've tried rex " (?=[^e]*(?:empRef|e.*empRef))^(?:[^\\\n]*\\){7}"(?P[^\\]+)" but I receive a parser error.

Many thanks and kind regards

Chris

Not sure what's going on there, but your regex has gotten overly complicated!

Is it that you're trying to capture multiple empRef in a single event? The Rex command defaults to 1, so you can set that with max_match=0 for unlimited.

I put your example string into splunk, to see if it was the way splunk handles double-quotes... but that's not the case and it worked fine, it produces a field 'var' with your example data, and a field 'empRef' with the expected 2 values

index=_internal
| eval var="[{\"friendlyName\":\"\",\"empRef\":\"012/AB00000\"},{\"friendlyName\":\"\",\"empRef\":\"023/AB11111\"}]"
| rex field=var "\"empRef\":\"(?<empRef>[^\"]*)\"" max_match=0

Hi thank you for coming back to me with this I really appreciate it.

Your assumption is correct in that I'm trying to extract multiple empRef's from a single event, so I ran your script and it works perfectly.

But when I tried to run this using my full script i.e.

index="main" detail.responseMessage="*empRef*" | rex field=var "\"empRef\":\"(?<empRef>[^\"]*)\"" max_match=0
  | stats count by empRef

the list of empRef's are not shown.

Many thanks for all your help and kind regards

Chris

It could be an issue with mv .... the problem is that since there are multiple empRef values per event, it means now you have a 'multivalue' field. If you look up the available mv commands (http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Commandsbycategory) and search for mv ... you'll see a few commands there.

You could try | mvexpand empRef | stats count by empRef

Aside from that, have you gone into verbose mode and checked to see if your empRef field is actually being populated?

Hi @pwmcity, thank you very much for coming back to me with this and my apologies for not replying sooner. The empRef is definitely being populated so I'll have a look at the documentation you highlighted.

Hi @pwmcity, I'm really very sorry to trouble you with this again, but I just wondered whether you may have had a chance to look at my last comment and the problems I'm still having with extracting the data.

Many thanks and kind regards

Chris

HI @liorfink, thank you very much for taking the time to come back to me with this.

Kind regards

Chris