Forums: SplunkAdministration: REPEAT_MATCH does not repeat

Previous Topic: New download needs License  |   Next Topic: Installing splunk as VM under Windows 2008 Hyper-V ? (doesn't work...)


Posts 1–2 of 2  |  Post to this topic
1
Burana400's Mugshot posted by: Burana400  |  posts
date: November 9, 2008
permalink

I have something like this in my logs:

bw_relayhost_abc.ch@test.ch=adjsfsdfsf bw_relayhost_cde.ch@test2.ch=adjsfsdfsfbw_relayhost_abc.ch@test.ch=adjsfsdfsf

My regex looks like this: bw_relayhost_([^=]*)=

I've tested the regex with an online tester and I get three groups out of it:

abc.ch@test.ch
cde.ch@test2.ch
abc.ch@test.ch

Splunk gives me just the first one...

What's up?

Here's my transforms.conf stanza:

[smpt_recipient_reject_ec]
REGEX = bw_relayhost_([^=]*)=
REPEAT_MATCH = true
FORMAT = smtp_recipient::$1
SOURCE_KEY = _raw
DEST_KEY = _meta

2
araitz's Mugshot posted by: araitz  |  posts
date: November 10, 2008
permalink

You won't be able to extract all the values into the same smtp_recipient field. You would only be able to extract them if the values were presented in a comma separated format.

To accomplish what you are looking to do, you would need a simple search processor.

Post to this topic

You must be logged in to post a reply.










close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: