https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241611#M71844 <P>How are extracting the fields now?</P> Mon, 14 Mar 2016 17:08:21 GMT richgalloway 2016-03-14T17:08:21Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241610#M71843 <P>Hey,</P> <P>I have some data that looks like this:</P> <P><CODE>Jan 01 01:02:03 host123 serial123 Version=1.0, Check=01 , Check=02 , Check=03 , Check=04 , Check=05 , Server=ABC, Server=DEF</CODE></P> <P>Splunk is currently only extracting the first occurrence of field Check (i.e. 01) and field Server (i.e. ABC) by default.<BR /> What do I need to add to the Splunk config to force all occurrences of these fields to be extracted?</P> <P>Thanks</P> Mon, 14 Mar 2016 16:48:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241610#M71843 Ant1D 2016-03-14T16:48:55Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241611#M71844 <P>How are extracting the fields now?</P> Mon, 14 Mar 2016 17:08:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241611#M71844 richgalloway 2016-03-14T17:08:21Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241612#M71845 <P>You can do this through field transformations with the multivalue checkbox checked: <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms</A></P> Mon, 14 Mar 2016 18:08:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241612#M71845 martin_mueller 2016-03-14T18:08:26Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241613#M71846 <P>Splunk extracts the first occurrence only by default. What I am expecting is for the field "Check" to be assigned values 01, 02, 03, 04 and 05</P> Tue, 15 Mar 2016 07:59:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241613#M71846 Ant1D 2016-03-15T07:59:39Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241614#M71847 <P>Hi, thanks for this but it is not what I am looking for. I want the fields "Check" and "Server" to be assigned all of the fields in the event without having to use any additional search commands. Is there Splunk config which will force this to happen?</P> Tue, 15 Mar 2016 08:03:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241614#M71847 Ant1D 2016-03-15T08:03:45Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241615#M71848 <P>Looks like I got the wrong link, fixed... that's config only. </P> Tue, 15 Mar 2016 08:21:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241615#M71848 martin_mueller 2016-03-15T08:21:37Z https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241616#M71849 <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A></P> <P>The section titled <STRONG>Handling events with multivalue fields</STRONG> seems to be what I am looking for. The below does what I need.</P> <P>In transforms.conf:</P> <P><CODE>[mv-check]</CODE><BR /> <CODE>REGEX = Check=(?&lt;Check&gt;\d+)[,\s]+</CODE><BR /> <CODE>MV_ADD = true<BR /> </CODE><BR /> In props.conf:</P> <P><CODE>REPORT-mychecks = mv-check</CODE></P> Tue, 15 Mar 2016 09:32:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-handle-events-where-the-same-field-occurs-multiple-times/m-p/241616#M71849 Ant1D 2016-03-15T09:32:12Z