Reputation: 1326
Multiple Rex Expressions
I'm using the rex expressions below to search for the following fields in my raw data:
Address Line 1 Address Line 2 Address Line 3 Address Line 4, and Postcode
| rex "Address Line 1=(?<address1>[^,]*)"
| rex "Address Line 2=(?<address2>[^,]*)"
| rex "Address Line 3=(?<address3>[^,]*)"
| rex "Address Line 4=(?<address4>[^,]*)"
| rex "Postcode=(?<postcode>[^,]*)"
As you can see by the expression, each of these fields is then assigned a variable so for Address Line 1, the variable is address1, Address Line 2 is 'address2' and so on.
As you will also no doubt see, the above expression contains multiple rex expressions, could someone perhaps tell me please, is there a way to combine these into one rex expression.
Upvotes: 4
Views: 7109
Answers (2)
Reputation: 315
you simply put several group match in your regex. Here is an example:
| rex field=_raw "\"SubjectId\":\"(?P<User>[^\"]*)\".*\"GrantType\":\"(?P<GrantType>\w*)\".*\"Category\":\"(?P<Category>\w+)\".*\"Name\":\"(?P<desc>[^\"]*)\".*\"TimeStamp\":\"(?P<TimeStamp>[^\"]*)\".*\"RemoteIpAddress\":\"(?P<IP>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\"" |
of course, this requires to know the order of the fields in advance, which is not required when chaining several 'rex' expressions in your search.
I do find it easier for complex example to first put a few lines in regex101.app for instance to validate the expression (I'm using the local installed app, but the website works)
EDIT FOLLOWING COMMENT
If all your addresses are separated by comma as your regular expression seems to show:
| rex field=_raw "(?P<addr1>[^,]),(?P<addr2>[^,]),(?P<addr3>[^,]),(?P<addr4>[^,]),(?P<postalcode>.*)"
If the separator is something else, just replace the character in each group.
Upvotes: 1
Reputation: 3670
The first example on page https://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Rex shows how to extract multiple fields with a single rex command. If your _raw is multiline, use \n or \r as appropriate.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/AboutSplunkregularexpressions
Upvotes: 1
Related Questions
- Extracting multi values with regex ( Only values, Not Fieldname )
- Parsing Server Log with Rex package in R
- Splunk rex extract field, I am close but just cant get it matching
- Splunk: How to use multiple regular expressions in one query?
- Create regular expression using the rex command in Splunk to return xml child elements
- regex parse multiple expressions
- Splunk rex: extracting repeating keys and values to a table
- Splunk: how to extract fields using regular expressions? like rex in splunk search
- RegEx in Splunk Search
- A regex with Splunk