- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I capture the repeating pattern on multiple...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With this dataset, the linebreaker is zone:
zone: zone_1wwns
00:00:00:00:00:00:00:01
zone: zone_2wwns
00:00:00:00:00:00:00:02
00:00:00:00:00:00:00:03
zone: zone_3wwns
00:00:00:00:00:00:00:04
00:00:00:00:00:00:00:05
00:00:00:00:00:00:00:06
When I use the regex:
| rex max_match=0 "zone:\s+(?\w+)((\s+(?\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S\:\S\S))+)"
It captures the last wwn, when I remove the (+) at the end, then it captures the first wwn
When I do this search w/ Notepad++ it finds all wwns (my most used tool for testing rex). Seems like this should work.
Is there another way to capture these possible extra lines?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (runanywhere sample, everything before rex command is to generate sample data)
| gentimes start=-1 | eval raw="zone: zone_1wwns
00:00:00:00:00:00:00:01
##zone: zone_2wwns
00:00:00:00:00:00:00:02
00:00:00:00:00:00:00:03
##zone: zone_3wwns
00:00:00:00:00:00:00:04
00:00:00:00:00:00:00:05
00:00:00:00:00:00:00:06" | table raw | makemv raw delim="##" | mvexpand raw
| rex field=raw max_match=0 "zone:\s+(?<zone>\w+)[\r\n\s](?<ZoneVal>\s*((\d{2}\:)+\d+[\r\n\s]*)+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"This is close.. although it takes all the ZoneVal & lops them into the same field value. I need them to be different values.
after rethinking it, broke into 2 rex's.
| rex "zone:\s+(?\S+)"
| rex max_match=0 "(?\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S:\S\S)"
That nailed it... although dang it! my first attempt should have worked! 🙂 "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (runanywhere sample, everything before rex command is to generate sample data)
| gentimes start=-1 | eval raw="zone: zone_1wwns
00:00:00:00:00:00:00:01
##zone: zone_2wwns
00:00:00:00:00:00:00:02
00:00:00:00:00:00:00:03
##zone: zone_3wwns
00:00:00:00:00:00:00:04
00:00:00:00:00:00:00:05
00:00:00:00:00:00:00:06" | table raw | makemv raw delim="##" | mvexpand raw
| rex field=raw max_match=0 "zone:\s+(?<zone>\w+)[\r\n\s](?<ZoneVal>\s*((\d{2}\:)+\d+[\r\n\s]*)+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Notepad++ is great, but I believe it does not use a Perl-compatible regex engine (PCRE) like Splunk does. Most folks here use regex101.com to test their regular expressions.
If this reply helps you, Karma would be appreciated.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
