Solved: Re: Repeating regex to fill multivalue field

Derek · ‎07-02-2010

Ok. Not having a spectacular regex day...

I have this:

Recipients: joe.smith@mig.mydomain.com, jane.smith@mig.mydomain.com, bob.smith@mig.mydomain.com,

In props.conf I have:

[mySource]
EXTRACT-recipients = (?i)Recipients: (?P<recipients>.*, )
REPORT-to = myTo

and in transforms.conf I have:

[myTo]
REGEX = (?P<to>.*?[,])
SOURCE_KEY = recipients
MV_ADD = true

It sorta works, but I'm getting each to value twice, and how do I drop the trailing ',' at the end.

Thanks!!

Ledion_Bitincka · ‎07-02-2010

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

View solution in original post

Ledion_Bitincka · ‎07-02-2010

You can try the following definition for myTo - it should get rid of the trailing commas, however I was not able to get double values. Can you post a complete sample event and all transfroms that extract a field named 'to'?

[myTo]
REGEX = (?P<to>[^,]+)[,]
SOURCE_KEY = recipients
MV_ADD = true

Derek · ‎07-02-2010

The regex worked great. Thanks! I sorted out the issue with the duplicates. It was the way I was using extract to reload my props/transforms.

Repeating regex to fill multivalue field

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability