Splunk Search

Repeating regex to fill multivalue field

Derek
Path Finder

Ok. Not having a spectacular regex day...

I have this:

Recipients: joe.smith@mig.mydomain.com, jane.smith@mig.mydomain.com, bob.smith@mig.mydomain.com,

In props.conf I have:

[mySource]
EXTRACT-recipients = (?i)Recipients: (?P<recipients>.*, )
REPORT-to = myTo

and in transforms.conf I have:

[myTo]
REGEX = (?P<to>.*?[,])
SOURCE_KEY = recipients
MV_ADD = true

It sorta works, but I'm getting each to value twice, and how do I drop the trailing ',' at the end.

Thanks!!

Tags (1)
1 Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

View solution in original post

Ledion_Bitincka
Splunk Employee
Splunk Employee

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

Derek
Path Finder

The regex worked great. Thanks! I sorted out the issue with the duplicates. It was the way I was using extract to reload my props/transforms.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...