https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432333#M123534 <P>You will have to create your own sourcetype-based field extraction on your search head like this:</P> <P>props.conf:</P> <PRE><CODE>[yourSourcetypeHere] REPORT-CustomKVPs = CustomKVPs KV_MODE = none </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[Custom_KVPs] REGEX = ([^\s=]+)\s*=\s*([^\s=]+) FORMAT = $1::$2 REPEAT_MATCH = true </CODE></PRE> Mon, 17 Jun 2019 19:48:47 GMT woodcock 2019-06-17T19:48:47Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432328#M123529 <P>Hi,</P> <P>(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results- <BR /> only 1 result or group of results with comma separated.<BR /> How do I retrieve all values when I call the file to the table.</P> <P>Thanks</P> Mon, 17 Jun 2019 16:42:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432328#M123529 varunawasthi9 2019-06-17T16:42:51Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432329#M123530 <P>Please try again and have somebody proofread your post. Your problem is unclear.</P> Mon, 17 Jun 2019 17:06:43 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432329#M123530 woodcock 2019-06-17T17:06:43Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432330#M123531 <P>Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:</P> <PRE><CODE>... | makemv delim="," YourFieldCSV </CODE></PRE> <P>Or this:</P> <PRE><CODE>... | eval YourNewField = splunk(YourFieldCSV, ",") </CODE></PRE> Mon, 17 Jun 2019 17:08:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432330#M123531 woodcock 2019-06-17T17:08:24Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432331#M123532 <P>no not in csv, it a set of data in which a particular filed in events is like that </P> Mon, 17 Jun 2019 18:51:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432331#M123532 varunawasthi9 2019-06-17T18:51:51Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432332#M123533 <P>eg:</P> <P>filedaccount = 123456,456789,789789</P> <P>in same filedaccount= 123456</P> <P>so when i search or get in table only i get is<BR /> 1 123456<BR /> 2 123456</P> <P>I want like it gets me complete data <BR /> 1 123456,456789,789789<BR /> 2 123456</P> Mon, 17 Jun 2019 19:30:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432332#M123533 varunawasthi9 2019-06-17T19:30:34Z https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432333#M123534 <P>You will have to create your own sourcetype-based field extraction on your search head like this:</P> <P>props.conf:</P> <PRE><CODE>[yourSourcetypeHere] REPORT-CustomKVPs = CustomKVPs KV_MODE = none </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[Custom_KVPs] REGEX = ([^\s=]+)\s*=\s*([^\s=]+) FORMAT = $1::$2 REPEAT_MATCH = true </CODE></PRE> Mon, 17 Jun 2019 19:48:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-we-only-able-to-extract-the-first-value-of-a-comma/m-p/432333#M123534 woodcock 2019-06-17T19:48:47Z