topic Re: normalising duplicate multivalue field in Splunk Search

normalising duplicate multivalue field

ytl — Thu, 14 Apr 2011 08:07:10 GMT

so i have numerous field extractions in place. unfortunately due to the number of regex's there are some events that match two field extractions. the issue is that i have the same field name defined in both extractions.

this isn't a problem as splunk is nice enough to create a multivalue field for me automatically. it just so happens that the value of that field is the same for both entries!

is there a way i can reduce/normalise this so it doesn't show twice? (without reconstructing my regex's)

Re: normalising duplicate multivalue field

gkanapathy — Thu, 14 Apr 2011 11:02:00 GMT

There really isn't an easy way globally.

In general, you might look at:

Using app namespaces to control when particular extractions are performed. If some are only needed in certain contexts, then perhaps these contexts could be separated out into their own app to avoid this kind of conflict
Making the regexes more precise and/or combining multiple regexes into a single one that retrieves multiple fields

Re: normalising duplicate multivalue field

ytl — Fri, 15 Apr 2011 02:21:41 GMT

oh well... back to restructuring my regex's i guess... just a thought, when i do a top on such a field - would it double count? cheers,