All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple field extractions per entry

aaronkorn
Splunk Employee
Splunk Employee
‎01-08-2013 12:09 PM

Hello!

We have multiple xml entries that are in the form below to show alerting situations, the name, type, and distribution. These alerts are distributed to different systems as shown below. How can i encapsulate all the available distributions instead of just one when i setup my field extractions? The field extraction works great when there is only one distribution but when it has multiple like the example below we only get the first one, not all of them. Any help would be appreciated!


UPMC_0163_LZ_Proc_High_CM_CPU
Linux OS
y03prd00:LZ
y03prd01:LZ
y03prd02:LZ
y03prd03:LZ
y03prd04:LZ
y03prd05:LZ
y03prd06:LZ
y03prd07:LZ
y03prd08:LZ
y03prd09:LZ
y03prd10:LZ
y03prd11:LZ

0 Karma
Reply

kristian_kolb
Ultra Champion
‎01-15-2013 01:23 PM

I'm guessing you could do this in several ways;

1) through the use of rex in the search pipeline

...| rex  "<dist>(?<dist>[^<]+)</dist>" max_match=0 | ...

2) through props/transforms

props.conf

[your_sourcetype]
REPORT-blah = dist_extract

transforms.conf

[dist_extract]
REGEX=<dist>([^<]+)<
FORMAT = dist::$1
MV_ADD=true

Perhaps also xmlkv can provide multivalued fields, but I have little experience of that particular search command.

Hope this helps,

Kristian

0 Karma
Reply

Rob
Splunk Employee
Splunk Employee
‎01-15-2013 12:48 PM

How are you trying to extract these fields? Are you looking to field extractions via the search command line or via configuration files?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...