- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field extraction issue
A transaction log format as follows:
------Procedure[xxx]'s input paramaters:
journalNo = 111111
custormerId = 22222
payAccName = test1
payAcct = 12000000312313131
recAccName = name1
recAcct = 795729419
hostCode = 23131
businessCode = CB704
------Procedure[xxx]'s input paramaters:
recAccName = name1
recAcct = 795729419
tranAmt = 40378.00
custormerId = 22222
------Procedure[xxx]'s input paramaters:
recAccName = name2
recAcct = 192723415
tranAmt = 13033.00
custormerId = 22222
------Procedure[xxx]'s output paramaters:
procRetCode = 00000
I extract field of recAccName(field of recAccName contains name1 name2 name3 name4 name5).Field extraction: (?i)\nrecAccName\s=\s(?P<ebank_recAccName>\S+) .After extract,field of ebank_recAccName only have name1 name2 name4 name5.Why?
[ebankraw]
SHOULD_LINEMERGE = False
KV_MODE = none
TIME_PREFIX = \[
TIME_FORMAT = %y-%m-%d %H:%M:%S:%3N
TZ =Asia/Shanghai
NO_BINARY_CHECK = true
invalid_cause = archive
unarchive_cmd = _auto
CHARSET = GB2312
Yes,there are more rows in my events,with recAccName = name3 name4 name5 name6 name7 etc.It's just a sample.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change
KV_MODE = none
to:
KV_MODE = auto
And Splunk should extract the field automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you are trying to accomplish either, but it seems that every ------Procedure[xxx]'s input paramaters: is its own event. Why not use BREAK_ONLY_BEFORE = -{6}Procedure? Since everything seem to be in key=value splunk should auto-extract. Which should get around haveing to use MV_ADD=true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your sample only contains name1 and name2. Are you saying that there are more rows in your events, with other recAccName = xxx lines?
Not really sure about what you're trying to accomplish, but have you looked at MV_ADD=true in transforms.conf (called from props.conf)?
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your sample data does not include the event containing "name3" so it's hard to say what goes wrong there...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mean you found value "交易3" was lost in the multi valued field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post your props/transforms?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
