Spread our blog

Usage of REX Attribute : max_match

Hi Guys !!
Today we have come with a important attribute, which can be used with “rex” command. The attribute name is “max_match” . By using “max_match” we can control the number of times the regex will match. If matching values are more than 1, then it will create one multivalued field. We can use to specify infinite times matching in a single event. For multiple matches the whole rex pattern should be similar to all the events. By default max_match remains 1.

Syntax:

max_match=<int>

NOTE: You need to specify any integer (<int>). Here “n” is for matching “n” number of times and is for matching infinite times. (where n=1,2,3,.…..)

Suppose we have data like this,
Where we want to extract all counts, highlighted in the red box in the above figure. If you see carefully then you can notice that all the events are in same pattern i.e.
number of count for (A/B/C) : (<digit>), here we want to extract all the digits <digit> in a one field.
Now if we write normal regex like this then what will happen?
If you want to learn about rex command then click here.

Example:

index="log_in_details" sourcetype=count
| rex field=_raw "number\s+of\s+count\s+for.*\:\s+(?<COUNT>\d+).*"

Explanation:
In the pre pattern portion we have specified – number of count for (A/B/C) : this potion.
In the Extracted pattern – <counts>
After this you will get a result like this.


If we view the data in tabular format then you can see that only the first count of each event has been extracted. Now if you remember that earlier we told you that “max_match” takes 1 by default. So now take a look.

index="log_in_details" sourcetype=count
| rex field=_raw max_match=1 "number\s+of\s+count\s+for.*\:\s+(?<COUNT>\d+).*"

If you apply the above query it will return the same result.

You can also know about :  HOW TO CHANGE THE EMAIL SUBJECT Dynamically WITH A HIDDEN FIELD


I think it’s clear, by default it’s matching one time on each event, if we specify as 2 (i.e. max_match=2), it will match two times on each event .


Now if we want to extract all the count with similar pattern then use max_match=0

index="log_in_details" sourcetype=count
| rex field=_raw max_match=0 "number\s+of\s+count\s+for.*\:\s+(?<COUNT>\d+).*"

In this way you can extract all the counts in a multivalued field.
This is all about max_match. I hope you have understood this topic on : Usage of REX Attribute : max_match

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
1
+1
+1
1
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here