https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300513#M90475 <P>More than likely this won't work, but you might able to try adding the following stanza to transforms.conf to extract them and turn them into fields automatically (don't forget to reference it from props.conf):</P> <PRE><CODE>[get-params] REGEX = Param=\"-(.+?)\s'(.+?)'\" FORMAT = $1::$2 MV_ADD = true </CODE></PRE> Wed, 22 Nov 2017 06:23:34 GMT mtulett_splunk 2017-11-22T06:23:34Z https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300511#M90473 <P>We noticed that Microsoft OWA logs produce a repeating field. How can we make them into individual ones instead of just picking up the first hit?</P> <P>E.g. the Param field in the log below. </P> <P><CODE>11/17/2017 1:45:05 PM Server="SERVER" User="EMAIL@Email.com" Identity="stuff" Cmdlet="New-InboxRule" Param="-SubjectContainsWords 'Account limit has been exceeded'" Param="-DeleteMessage 'True'" Param="-Name 'Subject contains 'Account limit has been exceeded''" Param="-StopProcessingRules 'True'" Param="-Force 'True'" Param="-AlwaysDeleteOutlookRulesBlob 'True'" Success="True" Error="None"</CODE></P> Wed, 22 Nov 2017 04:41:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300511#M90473 uhaba 2017-11-22T04:41:34Z https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300512#M90474 <P>you can extract fields by using props.conf and transforms.conf or extract from web-gui, you can also give different names like param1, param2 etc </P> Wed, 22 Nov 2017 05:24:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300512#M90474 kml_uvce 2017-11-22T05:24:52Z https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300513#M90475 <P>More than likely this won't work, but you might able to try adding the following stanza to transforms.conf to extract them and turn them into fields automatically (don't forget to reference it from props.conf):</P> <PRE><CODE>[get-params] REGEX = Param=\"-(.+?)\s'(.+?)'\" FORMAT = $1::$2 MV_ADD = true </CODE></PRE> Wed, 22 Nov 2017 06:23:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300513#M90475 mtulett_splunk 2017-11-22T06:23:34Z https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300514#M90476 <P>It is a very informational and commendable update indeed.Even I was also looking out for the following.I want to include with it that I have been facing a problem regarding the GPS signal which is not found.I have tried out the troubleshooting procedures:<BR /> 1. Disabled the Mock Locations. Step 1: On my Samsung Android smartphone, gone to Settings &gt; About Phone.<BR /> 2. Toggled Airplane mode on/off.<BR /> 3. Reset Location Settings.<BR /> 4. Restarted the Phone.<BR /> 5. Retested the Network Settings.<BR /> 6. Updated the Pokémon GO.<BR /> Suggest us anything else we need to include regarding the <A href="https://mapsupdates.org/garmin-map-updates-free-download/">garmin map updates free download 2019</A> for the perfect resolution.</P> Wed, 08 Apr 2020 06:26:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-deal-with-repeating-fields-in-a-single-event/m-p/300514#M90476 susan78 2020-04-08T06:26:19Z