Solved: Re: Regex for values between comma's

jacqu3sy · ‎09-22-2017

Hi,

I need a Regex to use within the search query to pick up individual values separated by comma's within a set of speech marks. The number of values varies, but is started and broken by those speech marks.

For example within the _raw I have;

db_values="value1, value2, value3, value4"

I tried the following but not sure how I separate out value 1 and value 2 etc into separate entities;

rex field=db_value"(?P\w+_\w+)-"

Thanks.

gcusello · ‎09-22-2017

Hi jacqu3sy,
I'm not sure to have understood your need.
if you want to extract in separate events all the values in db_value you could use something like this

your_regex
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Splunk automatically extract db_values field, if you want it's possible to extract using a regex:

your_regex
| rex max_match=0 "db_values="(?<db_values>[^,]*)"
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Bye.
Giuseppe

View solution in original post

gcusello · ‎09-22-2017

Hi jacqu3sy,
I'm not sure to have understood your need.
if you want to extract in separate events all the values in db_value you could use something like this

your_regex
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Splunk automatically extract db_values field, if you want it's possible to extract using a regex:

your_regex
| rex max_match=0 "db_values="(?<db_values>[^,]*)"
| makemv db_values delim="," 
| mvexpand db_values 
| table db_values

Bye.
Giuseppe

jacqu3sy · ‎09-22-2017

Awesome. The second one worked perfectly. thanks.

Regex for values between comma's

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...