Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex not iterating over large string

evan_roggenkamp
Path Finder
‎09-07-2016 02:45 PM

I am trying to use rex to extract the hostnames and put them in a table, but rex is only matching the first string and then it stops

rex "(HOSTNAME: )(?<node_name>.*)\s\(" | table node_name

The data is part of a job log I am ingesting files and directories input.

The textfile is formatted like this:

___________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.mrcl1.domain.net (10.140.255.7):
 ERROR: Cannot download Running config : Connection Refused by 10.140.255.7
___________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.abvl1.domain.net (10.252.255.50):
downloaded Running config
___________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.blvw1.domain.net (10.196.255.5):
downloaded Running config
__________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.clem1.domain.net (10.196.255.1):
downloaded Running config
___________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.domain.net (10.140.255.9):
downloaded Running config
___________________________________________________________________________
HOSTNAME: HOST-ASR9001-Aggr1.drck1.domain.net (10.132.255.3):
downloaded Running config
___________________________________________________________________________

I did have to clean this file up with python before getting it into splunk, so if some kind of text operation/reorganization would help this go more smoothly that is definitely an option.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-07-2016 02:47 PM

The rex command by default matches only one. Use max_matchoption to increase that limit

 ...| rex max_match=100 "(HOSTNAME: )(?<node_name>.*)\s\(" | table node_name

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-08-2016 04:33 AM

try this

HOSTNAME:\s+(?<myfield>[^ ]+)/g

you can test it on https://regex101.com/
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-07-2016 02:47 PM

The rex command by default matches only one. Use max_matchoption to increase that limit

 ...| rex max_match=100 "(HOSTNAME: )(?<node_name>.*)\s\(" | table node_name
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...