Splunk Search

How do I extract multiple values for a field in the same event using field extractions?

damucka
Builder

Hello,

I have the following event (all lines belong to the same event):

A Tue Oct 30 13:54:12:863 2018
A  ** RABAX: level LEV_RX_ATRA_CLEANUP entered.
A  ** RABAX: level LEV_RX_ATRA_CLEANUP completed.
A  ** RABAX: level LEV_RX_ERROR_SAVE entered.
A  ** RABAX: level LEV_RX_ERROR_SAVE completed.
A  ** RABAX: level LEV_RX_ERROR_TPDA entered.
A  ** RABAX: level LEV_RX_ERROR_TPDA completed.
A  ** RABAX: level LEV_RX_PXA_RELEASE_RUDI entered.
A  ** RABAX: level LEV_RX_PXA_RELEASE_RUDI completed.
A  ** RABAX: level LEV_RX_LIVE_CACHE_CLEANUP entered.
A  ** RABAX: level LEV_RX_LIVE_CACHE_CLEANUP completed.
A  ** RABAX: level LEV_RX_END entered.
A  ** RABAX: level LEV_RX_END completed.

and I would like to extract the text coming after "RABAX" to the new field called ABAPRABAX using the field extraction, regular expression. The point is that the extraction is taking only the first value.

How would I do this?

I found an answer in the following, but it is not exactly what I like:
https://answers.splunk.com/answers/620460/how-to-extract-multiple-values-for-a-field-in-the-1.html

It seems to me that it is REGEX specific and I need to restart Splunk for that.

As I have several such fields/cases and I may come up with even more quite often, is it possible to tell Splunk that e.g. all field extractions in my index / source type should be getting all values and not only the first from the event(s)?

I do not want to change the Splunk configuration and restart each time for that.

Kind Regards,
Kamil

Tags (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @damucka,

Please try below regex.

<yourBaseSearch> | rex field=_raw max_match=0 "\*\*\sRABAX\:\s(?<ABAPRABAX>.*)"

When you will use max_match=0, regex will find all possible values from field.

View solution in original post

aokur_splunk
Splunk Employee
Splunk Employee

This topic is covered pretty well  via the props/transforms settings as such:
 

transforms.conf

[mv_extract]
REGEX = \*\*\sRABAX\:\s(?<ABAPRABAX>.*)
MV_ADD = true
REPEAT_MATCH = true

 reference:
https://community.splunk.com/t5/Getting-Data-In/Multi-value-field-extraction-props-conf-transforms-c...

0 Karma

harsmarvania57
Ultra Champion

Hi @damucka,

Please try below regex.

<yourBaseSearch> | rex field=_raw max_match=0 "\*\*\sRABAX\:\s(?<ABAPRABAX>.*)"

When you will use max_match=0, regex will find all possible values from field.

damucka
Builder

Hi @harsmarvania57,

Yes, it works.
And I like this solution because it adds the fields for all sourcetypes in the same time, otherwise when I extract the ABAPREGEX field using the gui I need to state only one sourcetype and then I have to copy the field to the other sourcetypes manually, which I find a bit tedious process.
There is only one "but" about the solution above:
- It is a virtual field, correct? It will disappear withing the next search I do.
Is there any way to make it a permanent field?

Kind Regards,
Kamil

0 Karma

harsmarvania57
Ultra Champion

Yes, this is only virtual field when you will run search at that time if it will match REGEX then it will create otherwise not. If you do not want to specify regex in every search then you can use Field Extraction based on host or source or sourcetype.

0 Karma

damucka
Builder

Thank you, understand.
But then, in the field extraction based on the sourcetype, will I be able to define the max_match=0?
Otherwise I will get matched only the first value into the field.

0 Karma

harsmarvania57
Ultra Champion

In that case you need combination of Field extraction and Field Transformation, while providing REGEX in Field Transformation you need to select Create multivalued fields and use that transform in Field extraction.

If this answers helped you then please accept/upvote answer so that this question will be closed and it will be useful for other community members in future.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...