topic Re: Multiple values, same field -- how? in Splunk Search

Multiple values, same field -- how?

the_wolverine — Fri, 11 Feb 2011 03:31:53 GMT

I'm not sure how to workaround an issue where my field extraction is working on multiple values of the same field. For example, I have the following event that contains lines from ldap:

(this is in one event)

memberOf: CN=tina
memberOf: CN=toby
memberOf: CN=ben

My field extraction looks like this:

(?i)memberOf: (?P<memberOf>[^\n]+)

Splunk only pulls out the first instance of memberOf (CN=tina) and ignores the others. Is there a simple solution for this?

Re: Multiple values, same field -- how?

gkanapathy — Fri, 11 Feb 2011 03:49:10 GMT

I edited your source event data to match the regex. Please verify that I edited it correctly. Thanks.

Re: Multiple values, same field -- how?

the_wolverine — Fri, 11 Feb 2011 07:54:07 GMT

Comments doesn't allow me to format so here's my comment as a response:

How do I configure props so that it can be referenced in transforms? The following doesn't appear to work at all:

props.conf:

[ldif] 
EXTRACT-memberOf = multivalue_ldif

transforms: [multivalue_ldif]

REGEX = (?i)memberOf: CN=(?P<memberOf>[^\,]+) 
MV_ADD = true

Re: Multiple values, same field -- how?

Stephen_Sorkin — Fri, 11 Feb 2011 12:17:49 GMT

REPORT-memberOf = multivalue_ldif. The EXTRACT signifies inline regex.

Re: Multiple values, same field -- how?

the_wolverine — Fri, 11 Feb 2011 13:27:40 GMT

w00t. Thanks Ledion and Stephen!