The following | rex "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)"
produces for us the desired apiURL3
field. However, we have multiple instances of this field within the event. How can we use the makemv tokenizer
command (or anything else) to produce this set of fields?
Btw, we also get the following information message - Cannot get username when all users are selected.
...
If the regular expression will correctly match all of the instances of apiURL3, then you can simply add max_match=x
, where x is the maximum number of matches you expect. So it would look like this for up to 1000 matches:
| rex max_match=1000 "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)"
This will produce a multivalue field called apiURL3.
Here's some more info about options for rex
:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Rex
No luck with max_match=1000
That suggests to me that the regular expression is structured in such a way that it only matches on one of the instances of apiURL3. Could you post some of the source data, so I can help you adjust the regex?
Ya, if max_match is not working then the regular expression might be the issue.
The regex starts with a caret (^), which implies that it will only match when it encounters the start of a new line. Is that true for the event?
Ha, good catch @nileena. There is no chance, @ddrillic, that this regex will match multiple instances. At a minimum, try taking out the caret to see if it works. If not, I'm happy to help look at some sample data and see how to restructure the regex.
Awesome collaboration on this @ddrillic , @micahkemp, @elliotproebstel, and @nileena! Hopefully that resolves the issue.
Makes perfect sense that the regex is the issue. I removed the ^
from it without much success. I'll check it more...
Set max_match to have rex return multivalue fields:
| rex max_match=0 "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)"
No luck with max_match=0
.