<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Multiline field extractions in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94834#M19734</link>
    <description>&lt;P&gt;search modifier? How? From the docs page's description of what multikv does: "Extracts field-values from table-formatted events."&lt;/P&gt;

&lt;P&gt;Tell me more about how you're using it as a search modifier?&lt;/P&gt;</description>
    <pubDate>Mon, 15 Apr 2013 18:40:17 GMT</pubDate>
    <dc:creator>Ayn</dc:creator>
    <dc:date>2013-04-15T18:40:17Z</dc:date>
    <item>
      <title>Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94831#M19731</link>
      <description>&lt;P&gt;I have an event which looks like this"&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;USERNAME            HOME_DIR           USER_INFO
root                /root              root
ec2-user            /home/ec2-user     EC2 Default User
test_user1          /home/test_user1   Testing User
test.user2          /home/test.user2   Test User 2
realuser            /home/realuser     A Real Person
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I want to build a field extraction to capture each value from the 3 columns, but i cant get the extraction tool to find any more than one occurrence in any event. I presume this is because it is not attempting multiline extractions, but fiddle and try as I might, i cant get multiline (?m) extractions to work. &lt;/P&gt;

&lt;P&gt;Can anyone point me in the correct direction?&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:12:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94831#M19731</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2013-04-15T18:12:05Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94832#M19732</link>
      <description>&lt;P&gt;If that's what your event looks like, using &lt;CODE&gt;multikv&lt;/CODE&gt; seems to be the perfect tool. &lt;A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Multikv"&gt;http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Multikv&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:22:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94832#M19732</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-04-15T18:22:29Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94833#M19733</link>
      <description>&lt;P&gt;Multikv works beautifully as a search modifier, but is there a way to actually perform a field extraction with it?&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:38:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94833#M19733</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2013-04-15T18:38:09Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94834#M19734</link>
      <description>&lt;P&gt;search modifier? How? From the docs page's description of what multikv does: "Extracts field-values from table-formatted events."&lt;/P&gt;

&lt;P&gt;Tell me more about how you're using it as a search modifier?&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:40:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94834#M19734</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-04-15T18:40:17Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94835#M19735</link>
      <description>&lt;P&gt;...sorry, I hit comment before I had finished typing...&lt;/P&gt;

&lt;P&gt;What I'm trying to achieve is to collect each username into an extracted field, so that i can run reports like "most common username" "host with most users" "rarest username" "which hosts can x login to" etc.&lt;/P&gt;

&lt;P&gt;Is there a way to use multikv to extract these in this way?&lt;/P&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:45:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94835#M19735</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2013-04-15T18:45:51Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94836#M19736</link>
      <description>&lt;P&gt;ha, you got a response in before i finished &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;at search time, I can run this:&lt;/P&gt;

&lt;P&gt;sourcetype="blah"|multikv fields USERNAME HOME_DIR USER_INFO|table USERNAME HOME_DIR USER_INFO&lt;/P&gt;

&lt;P&gt;which gives me a nicely formatted table of my events - what I ideally would want to be able to do is simply:&lt;/P&gt;

&lt;P&gt;sourcetype=blah |table USERNAME HOME_DIR USER_INFO&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:44:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94836#M19736</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2020-09-28T13:44:03Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94837#M19737</link>
      <description>&lt;P&gt;Look into delimited extraction using REPORT stuff in props.conf / transforms.conf. This page has lots of info on it: &lt;A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Second.2C_configure_a_field_extraction_and_associate_it_with_the_field_transform"&gt;http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Second.2C_configure_a_field_extraction_and_associate_it_with_the_field_transform&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;In your case it would be something like:&lt;/P&gt;

&lt;P&gt;props.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[yoursourcetype]
REPORT-grabfields = grabfields
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[grabfields]
DELIMS = "\t"
FIELDS = USERNAME,HOME_DIR,USER_INFO
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 15 Apr 2013 18:56:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94837#M19737</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-04-15T18:56:51Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94838#M19738</link>
      <description>&lt;P&gt;I didn't get this to work, but worked around it in another way.&lt;/P&gt;

&lt;P&gt;Whilst I am very appreciative of your help, I don't want to mark this as answered, because (for me at least) it isn't &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;

&lt;P&gt;I may come back to this in a few weeks, so perhaps we can pick this up again. &lt;/P&gt;

&lt;P&gt;Thanks again Ayn.&lt;/P&gt;</description>
      <pubDate>Sat, 27 Apr 2013 23:32:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94838#M19738</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2013-04-27T23:32:01Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94839#M19739</link>
      <description>&lt;P&gt;Great that you got it working! If you have the time the best thing would be to write an answer to your own question detailing how you solved the problem in the end, then accept your own answer so people can see what worked.&lt;/P&gt;</description>
      <pubDate>Mon, 29 Apr 2013 07:16:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94839#M19739</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-04-29T07:16:57Z</dc:date>
    </item>
    <item>
      <title>Re: Multiline field extractions</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94840#M19740</link>
      <description>&lt;P&gt;Your example is very similar to the solution I posted at:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&lt;A href="http://answers.splunk.com/answers/143107/field-extraction-from-space-aligned-fields-in-multi-line-events" target="test_blank"&gt;http://answers.splunk.com/answers/143107/field-extraction-from-space-aligned-fields-in-multi-line-events&lt;/A&gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Modify the code a little with max_match=3 and a perhaps a few tweaks in the regex.  I know the answer to this question is a little late, but it could help others with similar questions.&lt;/P&gt;</description>
      <pubDate>Tue, 01 Jul 2014 12:27:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Multiline-field-extractions/m-p/94840#M19740</guid>
      <dc:creator>landen99</dc:creator>
      <dc:date>2014-07-01T12:27:05Z</dc:date>
    </item>
  </channel>
</rss>

