Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting the repeated fields from _raw

tomarcen
New Member
‎12-15-2014 07:53 PM

Hi.
I've load splunk with my email logs.
I'm getting all the url's in an email in _raw field.

In an e-mail, if there are 10 hyperlinks, I'm getting all the links as url in _raw , but I need them in a column of a table with url & sender columns.

When I pipe and table the output, I'm getting only the first url as the output In url field.

So how to get all the url's tabled in same column.

0 Karma
Reply

tomarcen
New Member
‎12-15-2014 11:23 PM

That dint work. I tried and got the same output - only the first url is showing.

Problem is all the repeated fields like url or recipients are in same event of splunk..

So, I need a query to get the repeated fields like url or recipient repeated multiple times in same event.

In simple words : in one event, I'm getting multiple recipients but after using the above query also, I'm getting the same result(only the first url or recipient in that event)

0 Karma
Reply

kml_uvce
Builder
‎12-15-2014 08:38 PM

try this
your search| eval url_name=mvjoin(url, ";")|table url_name

kamal singh bisht
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...