Solved: Extract multiple values when field is in the same ...

bcarr12 · ‎07-05-2017

Hi all,

I am working with a log that can sometimes have the same field in one log entry more than one time, but with multiple values.

Examples:

Ex 1:
100=A

Ex 2:
100=A 100=B 100=C

Ex 3:
100=D

Ex 4:
100=A 100=D

As I've seen discussed before, Splunk only seems to pull the first value out whenever the field is repeated. What would be the best way to tell Splunk at searchtime that I want to pull all "100" values from the log and not just the first one?

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

View solution in original post

cpetterborg · ‎07-05-2017

If you just want to get the values in the same field as a multivalve field, then this type search should work:

| makeresults | eval _raw="100=A 100=B 100=C" | rex field=_raw max_match=10 "100=(?P<field100>\w+)"

bcarr12 · ‎07-05-2017

Thanks for the suggestion!

DalJeanis · ‎07-05-2017

Try this -

| rex field=_raw "100=(?<my100>\w+)" max_match=0

bcarr12 · ‎07-05-2017

Thanks, this worked perfectly!

xlash911 · ‎12-19-2019

Saved my life, thanks!

Extract multiple values when field is in the same log twice

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Are you a member of the Splunk Community?

Extract multiple values when field is in the same log twice

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination