Splunk Search

Repeating regex to fill multivalue field

Derek
Path Finder

Ok. Not having a spectacular regex day...

I have this:

Recipients: joe.smith@mig.mydomain.com, jane.smith@mig.mydomain.com, bob.smith@mig.mydomain.com,

In props.conf I have:

[mySource]
EXTRACT-recipients = (?i)Recipients: (?P<recipients>.*, )
REPORT-to = myTo

and in transforms.conf I have:

[myTo]
REGEX = (?P<to>.*?[,])
SOURCE_KEY = recipients
MV_ADD = true

It sorta works, but I'm getting each to value twice, and how do I drop the trailing ',' at the end.

Thanks!!

Tags (1)
1 Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

View solution in original post

Ledion_Bitincka
Splunk Employee
Splunk Employee

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

Derek
Path Finder

The regex worked great. Thanks! I sorted out the issue with the duplicates. It was the way I was using extract to reload my props/transforms.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...