Solved: Regex for values between comma's

jacqu3sy · ‎09-22-2017

Hi,

I need a Regex to use within the search query to pick up individual values separated by comma's within a set of speech marks. The number of values varies, but is started and broken by those speech marks.

For example within the _raw I have;

db_values="value1, value2, value3, value4"

I tried the following but not sure how I separate out value 1 and value 2 etc into separate entities;

rex field=db_value"(?P\w+_\w+)-"

Thanks.

gcusello · ‎09-22-2017

Hi jacqu3sy,
I'm not sure to have understood your need.
if you want to extract in separate events all the values in db_value you could use something like this

your_regex
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Splunk automatically extract db_values field, if you want it's possible to extract using a regex:

your_regex
| rex max_match=0 "db_values="(?<db_values>[^,]*)"
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Bye.
Giuseppe

View solution in original post

gcusello · ‎09-22-2017

Hi jacqu3sy,
I'm not sure to have understood your need.
if you want to extract in separate events all the values in db_value you could use something like this

your_regex
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Splunk automatically extract db_values field, if you want it's possible to extract using a regex:

your_regex
| rex max_match=0 "db_values="(?<db_values>[^,]*)"
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Bye.
Giuseppe

jacqu3sy · ‎09-22-2017

Awesome. The second one worked perfectly. thanks.

Regex for values between comma's

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!