Need some help with a repeating regex

Question

I have an event with a field like this: ids="ID-120-1, ID-141-5, ID-92-5, N/A"

I'd like to extract the field and only keep IDs (i.e. I don't want the "N/A" value).

I have a transforms entry like this:

[mv-ids]
REGEX = \bid=\"(?<id>(ID-\d+-\d+)+)
MV_ADD = true

and my props.conf

[mysourcetype]
REPORT-ids = mv-ids

This isn't working as I would hope though. I'm only getting the first ID. What do I need to do to get all of the IDs added to the id field?

Accepted Answer

0	Looks like this is the solution: http://answers.splunk.com/questions/9853/multivalue-field-regex-question/9875#9875 link answered 13 Dec '10, 00:41 mw 1.7k●2●15 accept rate: 29% edited 14 Dec '10, 23:41

Answer 2

0

I don't think you need the last plus sign.

Try:

REGEX = \bid=\"(?<id>(ID-\d+-\d+))
FORMAT = mv-id::$1

Jim

link

answered 12 Dec '10, 22:19

jamesdon
51●8
accept rate: 0%

That doesn't seem to work. I end up with 1 entry in the field and it's the entire string. Oh, I was so hopeful. I'm about to put my head through a wall. :)

(12 Dec '10, 22:46) mw

Need some help with a repeating regex

Follow this question

Splunk Resources

Related questions