- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do we convert rex into makemv?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do we convert rex into makemv?
The following | rex "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)" produces for us the desired apiURL3 field. However, we have multiple instances of this field within the event. How can we use the makemv tokenizer command (or anything else) to produce this set of fields?
Btw, we also get the following information message - Cannot get username when all users are selected....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the regular expression will correctly match all of the instances of apiURL3, then you can simply add max_match=x, where x is the maximum number of matches you expect. So it would look like this for up to 1000 matches:
| rex max_match=1000 "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)"
This will produce a multivalue field called apiURL3.
Here's some more info about options for rex:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Rex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck with max_match=1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That suggests to me that the regular expression is structured in such a way that it only matches on one of the instances of apiURL3. Could you post some of the source data, so I can help you adjust the regex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya, if max_match is not working then the regular expression might be the issue.
The regex starts with a caret (^), which implies that it will only match when it encounters the start of a new line. Is that true for the event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ha, good catch @nileena. There is no chance, @ddrillic, that this regex will match multiple instances. At a minimum, try taking out the caret to see if it works. If not, I'm happy to help look at some sample data and see how to restructure the regex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome collaboration on this @ddrillic , @micahkemp, @elliotproebstel, and @nileena! Hopefully that resolves the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes perfect sense that the regex is the issue. I removed the ^ from it without much success. I'll check it more...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set max_match to have rex return multivalue fields:
| rex max_match=0 "^(?:[^,\n]*,){8}\"\w+\":\"/(?P<apiURL3>\w+/\w+/\w+/\w+\.\d+/\w+\.\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No luck with max_match=0.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
