I am performing theSplunk query on following result, The following field repeats 100 times with different values
randomstring=randomstring&firstRex=firstRexValue&anotherradomstring=antotherrandomstring&secondRex=secondrexvalue&somotherstuff=someotherstuffvalue&yetanotherstuff=yetanotherstuffvalue&thirdRex=thirdrexvalue
the Splunk query is as below.
source="source" searchquery
| rex "firstRex=(?<value1>[^&]+)"
| rex "secondRex=(?<value2>[^&]+)"
| rex "thirdRex=(?<value3>[^&]+)"
| transaction value1
| table value2 value3
Now when I do table, the value2 and value3 doesn't seems connected. I mean the column value2 has 5 rows while column value3 has 7 rows for example.
Further, I would also like to add date for each event in the table, how can I do it?
and I would need your suggestion to perform regex in single rex query instead of three 🙂
... View more