Solved: Re: Extract multiple values when field is in the s...

bcarr12 · ‎07-05-2017

Hi all,

I am working with a log that can sometimes have the same field in one log entry more than one time, but with multiple values.

Examples:

Ex 1:
100=A

Ex 2:
100=A 100=B 100=C

Ex 3:
100=D

Ex 4:
100=A 100=D

As I've seen discussed before, Splunk only seems to pull the first value out whenever the field is repeated. What would be the best way to tell Splunk at searchtime that I want to pull all "100" values from the log and not just the first one?

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

View solution in original post

cpetterborg · ‎07-05-2017

If you just want to get the values in the same field as a multivalve field, then this type search should work:

| makeresults | eval _raw="100=A 100=B 100=C" | rex field=_raw max_match=10 "100=(?P<field100>\w+)"

bcarr12 · ‎07-05-2017

Thanks for the suggestion!

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

bcarr12 · ‎07-05-2017

Thanks, this worked perfectly!

xlash911 · ‎12-19-2019

Saved my life, thanks!

Extract multiple values when field is in the same log twice

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform