Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you extract all values for respective field...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you extract all values for respective fields from multi line event?
twh1
Communicator
09-11-2018
05:53 AM
I have below event in my log which is output of a single command.
TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
NAME=ora.ASMNET1LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.ASMNET2LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.DATA1_DG.dg
TYPE=ora.diskgroup.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
I am getting below fields in this event but with only first values not rest.
- TIMESTAMP
- NAME
- TYPE
- TARGET
- STATE
I need all value occurrence in respective field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
09-11-2018
06:59 AM
can you try this?
| makeresults
| eval data="TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
NAME=ora.ASMNET1LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.ASMNET2LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.DATA1_DG.dg
TYPE=ora.diskgroup.type
TARGET=ONLINE , ONLINE , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153" | rex field=data max_match=0 "NAME\=(?<NAME>.*)\s*TYPE\=(?<Type>.*)\s*TARGET\=(?<TARGET>.*)\s*STATE\=(?<STATE>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
09-11-2018
08:30 AM
HI @mayurr98 ,
I tried above option and got the result in tablular format. But all data is displayed as single event. Not as multiple row.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-11-2018
06:07 AM
are you using regex to extract the values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twh1
Communicator
09-12-2018
10:19 AM
@Sukisen1981
As I mentioned, event is output of single command. I am not using regex. I need to extract the field run time.
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
