I seem to be unable to comment on the similar questions, but as they haven't answered my question, here I go.
With the event
node=hostname a0=first a1=second a2=third a3=fourth
using rex
rex max_match=0 field=_raw "node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+) a[1-9]=(?<args>[^\s]+)"
returns node, cmd and only 1 args
but
rex max_match=0 field=_raw "a[1-9]=(?<args>[^\s]+)"
returns all the args
Is there are way to achieve the former with args as a multivalue field?
thanks @somesoni2 you put me on the right track,
I changed my regex to extract all the a1-a99 paramters into a single field (args) and then ran a 2nd rex against that to extract them parameters into a multivalues field
If your problem is resolved, please accept an answer to help future readers.
I think it's a regex thing, not a splunk thing. This is when regex starts to hurt my head but the following seems to work...just took a little playing around on regex101.
node=(?<node>[^\s]+) a0=(?<cmd>[^\s+]+)|\sa[1-9]=(?<args>\S+)
Ultimately, if you want regex to match multiples, each one would need to match what leads up to it. So I think this is telling regex that the node/a1 stuff can be there (a1) or even just space (a2-xxx). That's my understanding, but could also be making it up.
Split into two rex statement, one for single value extraction and one for multivalued.