Regex for multiple values for a single field in a ...

fitchjo · ‎12-18-2012

I see that this is something that others have had a problem with, but I need help adapting the regex to pull multiple values for a single field.

The regex that I'm using is listed below but only pulls the first value in each event (I'm targeting the MD5 hash value).

(?i)(?P[0-9a-fA-F]{32})

Event Excerpt:

File: Vagrant Animals.doc
Size: 577099 bytes
MD5: 851FE9B7CC95B2DE86C13F5F011F53C4

File: bits.dll
Size: 45056 bytes
MD5: 488E838BB732862DE915879002D07E56

gkanapathy · ‎12-18-2012

If you're in the transforms.conf, you need to add MV_ADD = true to the config. If you're using rex, you need to set max_matches to something higher than the default of 1.

fitchjo · ‎01-02-2013

The contents of the Props.conf file in the ...Splunk/etc/system/local folder are as follows -

[Spearfishing Event]
EXTRACT-MD5 = (?i)(?P[0-9a-fA-F]{32})
MV_ADD = true
REPORT-MD5=MD5 Extraction

The contents of the transforms.conf file in the same directory are as follows -

[MD5 Extraction]
REGEX=(?i)(?P[0-9a-fA-F]{32})
MV_ADD = true

The problem is that when I export a report in a .csv file, I still only get the first MD5 hash in each event rather than all of them.

fitchjo · ‎12-27-2012

In the manager, under field extractions - how do I modify the extraction/transform "(?i)(?P[0-9a-fA-F]{32}0" to reflect a max_matches of 99?

Is this even the best way to do this?

Regex for multiple values for a single field in a single event

Event Excerpt:

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...