topic Re: Trouble with Field Extraction with multiple values on multiple lines in Splunk Search https://community.splunk.com/t5/Splunk-Search/Trouble-with-Field-Extraction-with-multiple-values-on-multiple/m-p/187574#M54028 <P>If your <CODE>event-breaking</CODE> is working properly (that is a BIG if), then all that should be necessary is to add this to your <CODE>props.conf</CODE>:</P> <PRE><CODE>[MySourceType] KV_MODE = multi </CODE></PRE> Wed, 01 Jul 2015 15:24:33 GMT woodcock 2015-07-01T15:24:33Z Trouble with Field Extraction with multiple values on multiple lines https://community.splunk.com/t5/Splunk-Search/Trouble-with-Field-Extraction-with-multiple-values-on-multiple/m-p/187573#M54027 <P>For the below data I want to create fields highlighted in data. The problem while extracting is that the data is in multiple lines so it is not considering as one event.<BR /><BR /> For Example: all this data under INFO should be as one event. <BR /> <STRONG>INFO</STRONG>: SOKY 01.05.2015 00:07:40.519<BR /> IDENT: GRS.S_FILEMANAGER_LASTFILES<BR /> PROCESS: FILEMAN<BR /> SOFTKEY: SYS:/resource/sk1024x768dirlastfils.bmx</P> <P>Similarly for other tags also. </P> <P><EM>Sample data</EM></P> <P><STRONG>Key</STRONG>: 0x01C4 -&gt;Edit 01.05.2015 00:07:38.293<BR /> <STRONG>INFO</STRONG>: MAIN ERRCLEARED 01.05.2015 00:07:38.293<BR /> N25846 External EMERGENCY STOP<BR /> <STRONG>ERR</STRONG>: N25846 External EMERGENCY STOP 01.05.2015 00:07:38.384<BR /> <STRONG>INFO</STRONG>: GEO 01.05.2015 00:07:38.384<BR /> ERROR SOURCE: GEORUN<BR /> <STRONG>Key</STRONG>: 0x01CB -&gt;PGM MGT 01.05.2015 00:07:38.524<BR /> <STRONG>Key</STRONG>: 0x0188 -&gt;Softkey 8 01.05.2015 00:07:40.519<BR /> <STRONG>INFO</STRONG>: SOKY 01.05.2015 00:07:40.519<BR /> IDENT: GRS.S_FILEMANAGER_LASTFILES<BR /> PROCESS: FILEMAN<BR /> SOFTKEY: SYS:/resource/sk\1024x768\dir\lastfils.bmx<BR /> <STRONG>INFO</STRONG>: SYS WINEVENT 01.05.2015 00:07:40.748<BR /> FILEMAN.STARTUP.READY<BR /> <STRONG>Key</STRONG>: 0x0189 -&gt;Softkey 9 01.05.2015 00:07:44.719<BR /> <STRONG>INFO</STRONG>: SOKY 01.05.2015 00:07:44.719<BR /> IDENT: GRS.S_BREAK<BR /> PROCESS: FILEMAN<BR /> SOFTKEY: SYS:/resource/sk\1024x768\allg\command.bmx<BR /> OVERLAY: 2<BR /> <STRONG>INFO</STRONG>: SOKY 01.05.2015 00:07:48.520<BR /> PROCESS: FILEMAN<BR /> <STRONG>Key</STRONG>: 0x01A8 -&gt;Enter 01.05.2015 00:07:48.520<BR /> <STRONG>Key</STRONG>: 0x01CB -&gt;PGM MGT 01.05.2015 00:07:51.124<BR /> <STRONG>INFO</STRONG>: SYS WINEVENT 01.05.2015 00:07:53.305<BR /> FILEMAN.STARTUP.READY<BR /> <STRONG>INFO</STRONG>: SOKY 01.05.2015 00:07:54.820<BR /> PROCESS: FILEMAN<BR /> <STRONG>Key</STRONG>: 0x01A1 -&gt;Cursor Down 01.05.2015 00:07:54.820<BR /> <STRONG>Key</STRONG>: 0x01A1 -&gt;Cursor Down 01.05.2015 00:07:55.009</P> <P>Kindly help.</P> Mon, 28 Sep 2020 20:26:55 GMT https://community.splunk.com/t5/Splunk-Search/Trouble-with-Field-Extraction-with-multiple-values-on-multiple/m-p/187573#M54027 20065945 2020-09-28T20:26:55Z Re: Trouble with Field Extraction with multiple values on multiple lines https://community.splunk.com/t5/Splunk-Search/Trouble-with-Field-Extraction-with-multiple-values-on-multiple/m-p/187574#M54028 <P>If your <CODE>event-breaking</CODE> is working properly (that is a BIG if), then all that should be necessary is to add this to your <CODE>props.conf</CODE>:</P> <PRE><CODE>[MySourceType] KV_MODE = multi </CODE></PRE> Wed, 01 Jul 2015 15:24:33 GMT https://community.splunk.com/t5/Splunk-Search/Trouble-with-Field-Extraction-with-multiple-values-on-multiple/m-p/187574#M54028 woodcock 2015-07-01T15:24:33Z