https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367411#M108375 <P>I'm using props.conf and transforms.conf to extract fields with delimiters, some of which are multi-valued. Example:</P> <P>in transforms.conf: <BR /> BHT_Fields]<BR /> DELIMS = '*'<BR /> FIELDS = BHT_1,BHT_2,BHT_3,BHT_4,BHT_5,BHT_6<BR /> SOURCE_KEY = BHT</P> <P>The following data extracts to:<BR /> BHT*0006*12*119283254-20254*20170728*102604*18 <BR /> BHT_1 = 0006<BR /> BHT_2 = 12<BR /> ...etc.</P> <P>But for another field:<BR /> [DMG_Fields]<BR /> DELIMS = '*'<BR /> FIELDS = DMG_1,DMG_2,DMG_3<BR /> SOURCE_KEY = DMG</P> <P>This field has multiple values:<BR /> DMG*D8*19820811*M<BR /> DMG*D8*19610130*U</P> <P>It extracts to:<BR /> DMG_1 = D8<BR /> DMG_2 = 19820811<BR /> DMG_3 = M D8</P> <P>...and that's it. It grabs the beginning of the second row (into the last field of the first row), then doesn't grab anything else.</P> <P>I've got MV_ADD = true in transforms.conf<BR /> How do I get splunk to extract that second row?</P> Tue, 29 Sep 2020 13:58:54 GMT gregbo 2020-09-29T13:58:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367411#M108375 <P>I'm using props.conf and transforms.conf to extract fields with delimiters, some of which are multi-valued. Example:</P> <P>in transforms.conf: <BR /> BHT_Fields]<BR /> DELIMS = '*'<BR /> FIELDS = BHT_1,BHT_2,BHT_3,BHT_4,BHT_5,BHT_6<BR /> SOURCE_KEY = BHT</P> <P>The following data extracts to:<BR /> BHT*0006*12*119283254-20254*20170728*102604*18 <BR /> BHT_1 = 0006<BR /> BHT_2 = 12<BR /> ...etc.</P> <P>But for another field:<BR /> [DMG_Fields]<BR /> DELIMS = '*'<BR /> FIELDS = DMG_1,DMG_2,DMG_3<BR /> SOURCE_KEY = DMG</P> <P>This field has multiple values:<BR /> DMG*D8*19820811*M<BR /> DMG*D8*19610130*U</P> <P>It extracts to:<BR /> DMG_1 = D8<BR /> DMG_2 = 19820811<BR /> DMG_3 = M D8</P> <P>...and that's it. It grabs the beginning of the second row (into the last field of the first row), then doesn't grab anything else.</P> <P>I've got MV_ADD = true in transforms.conf<BR /> How do I get splunk to extract that second row?</P> Tue, 29 Sep 2020 13:58:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367411#M108375 gregbo 2020-09-29T13:58:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367412#M108376 <P>Try changing your transforms.conf entry like this</P> <PRE><CODE>[DMG_Fields] REGEX = DMG\*([^\*]+)\*([^\*]+)\*([^\*]+) FORMAT = DMG_1::$1 DMG_2::$2 DMG_3::$3 SOURCE_KEY = DMG MV_ADD = true </CODE></PRE> Mon, 08 May 2017 13:56:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367412#M108376 somesoni2 2017-05-08T13:56:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367413#M108377 <P>I tried your suggestion, but it returned nothing.</P> Tue, 09 May 2017 09:40:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-more-than-one-value-out-of-a-field-extraction/m-p/367413#M108377 gregbo 2017-05-09T09:40:34Z