topic Re: Extract multiple values from a single field? in Splunk Search

Extract multiple values from a single field?

skoelpin — Mon, 23 Feb 2015 21:35:35 GMT

I'm trying to extract multiple values from a single field. I noticed that Splunk field extractor will only extract on value from each field, even if there are multiple values within that field.

Field 1:

INFO  2015-02-23 16:28:45,514  spatchMessageInspector fterReceiveRequest - Request Record : <CalculateTaxRequest>
<Redacted>
<Redacted>
INFO  2015-02-23 16:28:45,514  spatchMessageInspector fterReceiveResponse - Request Record : <CalculateTaxResponse>
<Redacted>
<Redacted>
INFO  2015-02-23 16:28:22,953  spatchMessageInspector fterReceiveRequest - Request Record :  <LookupTaxableAddressRequest

I am trying to extract 'CalculateTaxRequest', 'CalculateTaxResponse', and 'LookupTaxableAddress' but it will only extract the first value of 'CalculateTaxRequest' then go to the next field and only extract one value from it.

Re: Extract multiple values from a single field?

kml_uvce — Mon, 23 Feb 2015 21:55:02 GMT

send me your regex or props /transforms.conf data

Re: Extract multiple values from a single field?

KindaWorking — Mon, 23 Feb 2015 22:05:04 GMT

WPreston helped me solve this in one of his comments here: http://answers.splunk.com/answers/214368/how-to-extract-all-values-for-a-single-field-using.html

A quick quote from him:

To extract multiple values of the same field from a single event, you need to add your extraction to transforms.conf and add MV_ADD = True, then either create a new report stanza or add to an existing report stanza in props.conf for the host, source, or sourcetype that the field is associated with. For this example, I'll use a sourcetype of 'waterfall':

transforms.conf

     [Security_ID_Extraction]
     REGEX = Security\sID:\s+(?<SecurityID>.*)\n

 MV_ADD = True

props.conf

 [waterfall]
 REPORT-waterfall_fields = Security_ID_Extraction

Re: Extract multiple values from a single field?

lguinn2 — Mon, 23 Feb 2015 22:05:34 GMT

You can't use the Field Extractor to do this, but you can do it manually by editing props.conf. Field extraction happens at search time, so if you have a search head, edit the props.conf there; otherwise, do it on the indexer(s). Here is what you need, more or less:

[yoursourcetypehere]
EXTRACT-xyz1=Request Record\s*:\s*(?\<\S+?\>)

Given that you have redacted some data (understandably), my regular expressions may not be accurate. But you get the idea.

Now, my solution assumes that each line beginning with INFO is a separate event, and I think that is the best. BUT if all of this data is indexed as a single event, take a look at this answer for
information about multi-valued field extraction

Or see @KindaWorking's answer!