- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction with multiple matches per line
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm trying to pull out the MAC addresses from a series of records which is mostly working using the following regex in the field extraction :-
(?i) .*? (?P
The problem I'm finding is that I have two MAC addresses in a number of records and the field extraction is only seeing the first in the record. The examples below show what I mean, only the Bold MAC is being caught.
Jun 15 14:54:26 10.2.196.20 90: Jun 15 13:55:00.703 UTC: %DOT11-6-ROAMED: Station 0013.e8f5.f15d Roamed to 001e.4ae0.3f50
Jun 15 14:34:55 10.2.196.26 32: 000030: Jun 15 13:35:29.536 UTC: %DOT11-6-ROAMED: Station 2477.0338.1c64 Roamed to 001e.4ae0.3dc0
Jun 15 14:33:34 10.2.196.36 4689: 012274: Jun 15 13:34:08.300 UTC: %DOT11-6-ROAMED: Station 5894.6b3e.f98c Roamed to 001e.7a17.c670
Jun 15 14:33:32 10.2.196.36 4686: 012271: Jun 15 13:34:06.734 UTC: %DOT11-6-ROAMED: Station 8853.2ec4.b913 Roamed to 001e.7a17.bb90
Jun 15 14:33:05 10.2.196.32 125: 000123: Jun 15 13:33:39.710 UTC: %DOT11-6-ROAMED: Station 2477.0317.10b0 Roamed to 001e.4ade.ed50
Is there a way to catch multiple occurrences on the same line?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I also had a same question.
http://splunk-base.splunk.com/answers/53883/how-to-configure-mv_add-in-the-search-language
and I came up with this search...
"some saerch to filter" | rex field=string max_match=10000 "(?<chars>...)" | chart count by string chars
This will get any 3 chars in a field called string.
I hope this also good for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly. By default Splunk will only match once per event and "discard" other matches it finds. This is defined by the MV_ADD parameter in transforms.conf, which is false by default.
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
This is if you've setup a REPORT directive in props.conf. If you haven't, but used an EXTRACT directive instead, you will need to convert it to a REPORT and create the corresponding transform in transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks worked for me!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
