Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write regex for a multivalue field

gndivya
Explorer
‎01-20-2020 01:52 AM

I have a multivalue field which is got from a stats function. using mvfind function, how to write regex for this.

query...|stats list(result_id) by user

result_id is a multivalue field and it contains data like

r_id1
r_id2
r_id3
r_id4

I want to write a regex which matches as below
r_id2
r_id3

but the below eval doesnt work.

eval n=mvfind(result_id,"r_id2\nr_id3")
OR
eval n=mvfind(result_id,"r_id2\sr_id3")

please help.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-20-2020 03:25 AM

Verify the required result:

| makeresults count=2
| streamstats count
| eval _time=if(count=2,relative_time(_time,"-2d@d"),relative_time(_time,"-1d@d"))
| makecontinuous _time span=20m
| eval user="user_".(random() % 9 + 1)
| eval result_id="r_id".(random() % 4 + 1)
| streamstats count
| where count % 2 =1
| stats list(result_id) as result_id by user
| rex field=result_id max_match=10 "(?<result>\w+(2|3))"

Hi, folks

How to write regex for a multivalue field?

\w+(2|3) , this regex is.

recommend:

query...
|stats list(result_id) as result_id by user
| rex field=result_id max_match=10 "(?<result>\w+(2|3))"

How about this?

0 Karma
Reply

damann
Communicator
‎01-20-2020 02:46 AM

What is your suggested output?
Do you need your matching values as a new multivalue field? Or do you need the index of your matching values in your multivalue field?

Maybe this can help you:

| makeresults 
| eval mv="r_id1,r_id2,r_id3,r_id4"
|  makemv delim="," mv
| eval result=mvfilter(match(mv,"r_id2") OR match(mv,"r_id3"))
| eval n=if(isnotnull(mvfind(mv,"r_id2")),mvfind(mv,"r_id2"),""), n=if(isnotnull(mvfind(mv,"r_id3")),n.",".mvfind(mv,"r_id3"),"")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 02:16 AM

Hi @gndivya,
to help you in regex creating, could you share some example (eventually masked!)?
Ciao.
Giuseppe

0 Karma
Reply

gndivya
Explorer
‎01-20-2020 02:18 AM

| makeresults
| eval my_multival="4726,4722,4726"
| makemv tokenizer="([^,]+),?" my_multival

this is the sample one i m using... that result id will contain data like below
4726
4726
4722
4726
4726
4726
4722
4726

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...