Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you extract all values for respective f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you extract all values for respective fields from multi line event?
twh1
Communicator
09-11-2018
05:53 AM
I have below event in my log which is output of a single command.
TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
NAME=ora.ASMNET1LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.ASMNET2LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.DATA1_DG.dg
TYPE=ora.diskgroup.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
I am getting below fields in this event but with only first values not rest.
- TIMESTAMP
- NAME
- TYPE
- TARGET
- STATE
I need all value occurrence in respective field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
09-11-2018
06:59 AM
can you try this?
| makeresults
| eval data="TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
NAME=ora.ASMNET1LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.ASMNET2LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.DATA1_DG.dg
TYPE=ora.diskgroup.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153" | rex field=data max_match=0 "NAME\=(?<NAME>.*)\s*TYPE\=(?<Type>.*)\s*TARGET\=(?<TARGET>.*)\s*STATE\=(?<STATE>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
09-11-2018
08:30 AM
HI @mayurr98 ,
I tried above option and got the result in tablular format. But all data is displayed as single event. Not as multiple row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-11-2018
06:07 AM
are you using regex to extract the values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
09-12-2018
10:19 AM
@Sukisen1981
As I mentioned, event is output of single command. I am not using regex. I need to extract the field run time.
Get Updates on the Splunk Community!
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
Splunk Mobile: Your Brand-New Home Screen
Meet Your New Mobile Hub
Hello Splunk Community!
Staying connected to your data—no matter where you are—is ...
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...
