Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract all values from a field with mu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract all values from a field with multiple values?
Hello,
I get the event,
IP="127.0.0.1",..., TAG_NAME="GRP_ROOT_MGT", TAG_NAME="GRP_IS_MM_MGT", TAG_NAME="GRP_RB_NN_MGT", BU_NAME="BU_RB_NN", ...
The problem is that, one field has multiple values and Splunk detects just the first "TAG_NAME" and ignores the second and third one. However, I need them all. How can I get all of them?
I want something like:
...
TAG1="xxx",
TAG2="xxx",
TAG3="xxx",
...
Please give me some idea or some help,
Thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to set multivalued field extractions for your data.
Using transforms (example with almost same use-case as yours)
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...
Using fields.conf
http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ConfigureSplunktoparsemulti-valuefields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show us how you are getting the single-value field value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for replying,
I get from a python script,
now I find a method
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using the rex command to extract the TAG_NAME fields, be sure to add the max_match=0 option to tell Splunk to return all instances of the field.
If you're extracting the field some other way, please explain so we can help you.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it works with the parameter"max_match"
Thank you a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please click Accept to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worked for me with same issue , this should be accepted answer 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
