Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue field regex question

mw
Splunk Employee
Splunk Employee
‎12-14-2010 04:15 AM

I have a field like this: 

... group="Group One,Group2,Some Other Group" ...

Using 'makemv delim="," group' is easy and works great, but I'm having a hard time getting the right regex in transforms to do it automatically. I've tried a number of things, but they all end up being too greedy, or just not working. Based on my last question here, I tried things like this:

REGEX = (?:(?:group=\")|(?:,))(?<group>(?:[^,]+)*)
MV_ADD = true

I've also tried:

REGEX = (([^,]+)*)
SOURCE_KEY = group

I've tried enough things that I've lost track. I'm sure this should be quite easy, but it's not. Any help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎12-14-2010 07:54 PM

The correct method to make this field multivalued is to use fields.conf:

props.conf:

[bigfix]
REPORT-bf = mv_group

transforms.conf:

[mv_group]
REGEX = group\=\"([^\"]+)
FORMAT = group::$1

fields.conf:

[group]
TOKENIZER = ([^\,]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎12-14-2010 07:54 PM

The correct method to make this field multivalued is to use fields.conf:

props.conf:

[bigfix]
REPORT-bf = mv_group

transforms.conf:

[mv_group]
REGEX = group\=\"([^\"]+)
FORMAT = group::$1

fields.conf:

[group]
TOKENIZER = ([^\,]+)
Reply
Solved! Jump to solution

blurblebot
Communicator
‎08-18-2011 08:32 AM

Challenge bonus extra credit question: What should my transforms.conf regex look like for the same line of data mw specified, but without the quotation marks? Betcha can't do it.

0 Karma
Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎12-14-2010 07:09 PM

Fiddled with it for a little while, but didn't get too much farther. I added some ingredients like positive lookahead (?=) and non-greedy wildcard (.*?). Taking a step back, I'm not sure if regex is the right way to go about this. Isn't there an easier way to persist "makemv delim=" to the configs? If not, there should be.

(?=group=\")(?:(?:group=\")|(?:.*,))(?<group>[^,]*?)(?:\")
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎12-14-2010 07:39 PM

That does seem to work a bit better, but still seems unreliable. I have a couple fields like this and it seems to work with my group data, but not with my site data which is formatted the same and I would expect would work properly with the same regex. Agreed. I have to think there's something built-in that I've missed here. Would be really nice if this worked in this case, but it doesn't seem to or I've missed something: 

DELIMS = "," 
SOURCE_KEY = group 
MV_ADD = true
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...