Extract both single-value and multivalue fields us...

jhuxley · ‎08-09-2017

I seem to be unable to comment on the similar questions, but as they haven't answered my question, here I go.

With the event

node=hostname a0=first a1=second a2=third a3=fourth

using rex

rex max_match=0 field=_raw "node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+) a[1-9]=(?<args>[^\s]+)"

returns node, cmd and only 1 args

but

rex max_match=0 field=_raw "a[1-9]=(?<args>[^\s]+)"

returns all the args

Is there are way to achieve the former with args as a multivalue field?

jhuxley · ‎08-11-2017

thanks @somesoni2 you put me on the right track,

I changed my regex to extract all the a1-a99 paramters into a single field (args) and then ran a 2nd rex against that to extract them parameters into a multivalues field

richgalloway · ‎08-11-2017

If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

maciep · ‎08-09-2017

I think it's a regex thing, not a splunk thing. This is when regex starts to hurt my head but the following seems to work...just took a little playing around on regex101.

node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+)|\sa[1-9]=(?<args>\S+)

Ultimately, if you want regex to match multiples, each one would need to match what leads up to it. So I think this is telling regex that the node/a1 stuff can be there (a1) or even just space (a2-xxx). That's my understanding, but could also be making it up.

somesoni2 · ‎08-09-2017

Split into two rex statement, one for single value extraction and one for multivalued.

Extract both single-value and multivalue fields using rex

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!