topic Re: Field extraction issue in Splunk Search

Field extraction issue

snowye — Fri, 23 Nov 2012 08:54:05 GMT

A transaction log format as follows:

------Procedure[xxx]'s input paramaters:
journalNo = 111111
custormerId = 22222
payAccName = test1
payAcct = 12000000312313131
recAccName = name1
recAcct = 795729419
hostCode = 23131
businessCode = CB704
------Procedure[xxx]'s input paramaters:
recAccName = name1
recAcct = 795729419
tranAmt = 40378.00
custormerId = 22222
------Procedure[xxx]'s input paramaters:
recAccName = name2
recAcct = 192723415
tranAmt = 13033.00
custormerId = 22222
------Procedure[xxx]'s output paramaters:
procRetCode = 00000

I extract field of recAccName(field of recAccName contains name1 name2 name3 name4 name5).Field extraction: (?i)\nrecAccName\s=\s(?P<ebank_recAccName>\S+) .After extract,field of ebank_recAccName only have name1 name2 name4 name5.Why?

[ebankraw]
SHOULD_LINEMERGE = False
KV_MODE = none
TIME_PREFIX = \[
TIME_FORMAT = %y-%m-%d %H:%M:%S:%3N
TZ =Asia/Shanghai
NO_BINARY_CHECK = true
invalid_cause = archive
unarchive_cmd = _auto
CHARSET = GB2312

Yes,there are more rows in my events,with recAccName = name3 name4 name5 name6 name7 etc.It's just a sample.

Re: Field extraction issue

Drainy — Fri, 23 Nov 2012 08:56:46 GMT

Could you post your props/transforms?

Re: Field extraction issue

sonicant — Fri, 23 Nov 2012 09:03:14 GMT

You mean you found value "交易3" was lost in the multi valued field?

Re: Field extraction issue

Ayn — Mon, 26 Nov 2012 07:47:44 GMT

Your sample data does not include the event containing "name3" so it's hard to say what goes wrong there...

Re: Field extraction issue

kristian_kolb — Mon, 26 Nov 2012 07:55:35 GMT

Your sample only contains name1 and name2. Are you saying that there are more rows in your events, with other recAccName = xxx lines?

Not really sure about what you're trying to accomplish, but have you looked at MV_ADD=true in transforms.conf (called from props.conf)?

http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles

Re: Field extraction issue

bmacias84 — Mon, 28 Sep 2020 14:20:43 GMT

Not sure what you are trying to accomplish either, but it seems that every ------Procedure[xxx]'s input paramaters: is its own event. Why not use BREAK_ONLY_BEFORE = -{6}Procedure? Since everything seem to be in key=value splunk should auto-extract. Which should get around haveing to use MV_ADD=true.

Re: Field extraction issue

mloven_splunk — Thu, 18 Jul 2013 20:13:27 GMT

Change

KV_MODE = none

to:

KV_MODE = auto

And Splunk should extract the field automatically.