Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract multiple values for a field in the same event using field extractions?

damucka
Builder
‎10-30-2018 06:04 AM

Hello,

I have the following event (all lines belong to the same event):

A Tue Oct 30 13:54:12:863 2018
A  ** RABAX: level LEV_RX_ATRA_CLEANUP entered.
A  ** RABAX: level LEV_RX_ATRA_CLEANUP completed.
A  ** RABAX: level LEV_RX_ERROR_SAVE entered.
A  ** RABAX: level LEV_RX_ERROR_SAVE completed.
A  ** RABAX: level LEV_RX_ERROR_TPDA entered.
A  ** RABAX: level LEV_RX_ERROR_TPDA completed.
A  ** RABAX: level LEV_RX_PXA_RELEASE_RUDI entered.
A  ** RABAX: level LEV_RX_PXA_RELEASE_RUDI completed.
A  ** RABAX: level LEV_RX_LIVE_CACHE_CLEANUP entered.
A  ** RABAX: level LEV_RX_LIVE_CACHE_CLEANUP completed.
A  ** RABAX: level LEV_RX_END entered.
A  ** RABAX: level LEV_RX_END completed.

and I would like to extract the text coming after "RABAX" to the new field called ABAPRABAX using the field extraction, regular expression. The point is that the extraction is taking only the first value.

How would I do this?

I found an answer in the following, but it is not exactly what I like:
https://answers.splunk.com/answers/620460/how-to-extract-multiple-values-for-a-field-in-the-1.html

It seems to me that it is REGEX specific and I need to restart Splunk for that.

As I have several such fields/cases and I may come up with even more quite often, is it possible to tell Splunk that e.g. all field extractions in my index / source type should be getting all values and not only the first from the event(s)?

I do not want to change the Splunk configuration and restart each time for that.

Kind Regards,
Kamil

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-30-2018 06:19 AM

Hi @damucka,

Please try below regex.

<yourBaseSearch> | rex field=_raw max_match=0 "\*\*\sRABAX\:\s(?<ABAPRABAX>.*)"

When you will use max_match=0, regex will find all possible values from field.

View solution in original post

Reply
Solved! Jump to solution

aokur_splunk
Splunk Employee
Splunk Employee
‎11-10-2023 08:26 AM

This topic is covered pretty well  via the props/transforms settings as such:
 

transforms.conf

[mv_extract]
REGEX = \*\*\sRABAX\:\s(?<ABAPRABAX>.*)
MV_ADD = true
REPEAT_MATCH = true

 reference:
https://community.splunk.com/t5/Getting-Data-In/Multi-value-field-extraction-props-conf-transforms-c...

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎10-30-2018 06:19 AM

Hi @damucka,

Please try below regex.

<yourBaseSearch> | rex field=_raw max_match=0 "\*\*\sRABAX\:\s(?<ABAPRABAX>.*)"

When you will use max_match=0, regex will find all possible values from field.

Reply
Solved! Jump to solution

damucka
Builder
‎10-30-2018 06:43 AM

Hi @harsmarvania57,

Yes, it works.
And I like this solution because it adds the fields for all sourcetypes in the same time, otherwise when I extract the ABAPREGEX field using the gui I need to state only one sourcetype and then I have to copy the field to the other sourcetypes manually, which I find a bit tedious process.
There is only one "but" about the solution above:
- It is a virtual field, correct? It will disappear withing the next search I do.
Is there any way to make it a permanent field?

Kind Regards,
Kamil

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-30-2018 07:05 AM

Yes, this is only virtual field when you will run search at that time if it will match REGEX then it will create otherwise not. If you do not want to specify regex in every search then you can use Field Extraction based on host or source or sourcetype.

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎10-30-2018 07:15 AM

Thank you, understand.
But then, in the field extraction based on the sourcetype, will I be able to define the max_match=0?
Otherwise I will get matched only the first value into the field.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎10-30-2018 07:34 AM

In that case you need combination of Field extraction and Field Transformation, while providing REGEX in Field Transformation you need to select Create multivalued fields and use that transform in Field extraction.

If this answers helped you then please accept/upvote answer so that this question will be closed and it will be useful for other community members in future.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...