How to extract all values from a field with multip...

Lindaiyu · ‎04-07-2016

Hello,

I get the event,

IP="127.0.0.1",..., TAG_NAME="GRP_ROOT_MGT", TAG_NAME="GRP_IS_MM_MGT", TAG_NAME="GRP_RB_NN_MGT", BU_NAME="BU_RB_NN", ...

The problem is that, one field has multiple values and Splunk detects just the first "TAG_NAME" and ignores the second and third one. However, I need them all. How can I get all of them?

I want something like:

...
TAG1="xxx",
TAG2="xxx",
TAG3="xxx",
...

Please give me some idea or some help,
Thank you very much

somesoni2 · ‎04-07-2016

You would have to set multivalued field extractions for your data.
Using transforms (example with almost same use-case as yours)
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Using fields.conf

http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

woodcock · ‎04-07-2016

Show us how you are getting the single-value field value.

Lindaiyu · ‎04-07-2016

Thank you for replying,
I get from a python script,
now I find a method

richgalloway · ‎04-07-2016

If you're using the rex command to extract the TAG_NAME fields, be sure to add the max_match=0 option to tell Splunk to return all instances of the field.

If you're extracting the field some other way, please explain so we can help you.

---
If this reply helps you, Karma would be appreciated.

Lindaiyu · ‎04-07-2016

it works with the parameter"max_match"
Thank you a lot!

woodcock · ‎07-10-2019

Please click Accept to close the question.

sander980 · ‎07-10-2019

worked for me with same issue , this should be accepted answer 🙂

How to extract all values from a field with multiple values?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?