Solved: Extract multiple values when field is in the same ...

bcarr12 · ‎07-05-2017

Hi all,

I am working with a log that can sometimes have the same field in one log entry more than one time, but with multiple values.

Examples:

Ex 1:
100=A

Ex 2:
100=A 100=B 100=C

Ex 3:
100=D

Ex 4:
100=A 100=D

As I've seen discussed before, Splunk only seems to pull the first value out whenever the field is repeated. What would be the best way to tell Splunk at searchtime that I want to pull all "100" values from the log and not just the first one?

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

View solution in original post

cpetterborg · ‎07-05-2017

If you just want to get the values in the same field as a multivalve field, then this type search should work:

| makeresults | eval _raw="100=A 100=B 100=C" | rex field=_raw max_match=10 "100=(?P<field100>\w+)"

bcarr12 · ‎07-05-2017

Thanks for the suggestion!

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

bcarr12 · ‎07-05-2017

Thanks, this worked perfectly!

xlash911 · ‎12-19-2019

Saved my life, thanks!

Extract multiple values when field is in the same log twice

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...