I get the event,
IP="127.0.0.1",..., TAG_NAME="GRP_ROOT_MGT", TAG_NAME="GRP_IS_MM_MGT", TAG_NAME="GRP_RB_NN_MGT", BU_NAME="BU_RB_NN", ...
The problem is that, one field has multiple values and Splunk detects just the first "TAG_NAME" and ignores the second and third one. However, I need them all. How can I get all of them?
I want something like:
... TAG1="xxx", TAG2="xxx", TAG3="xxx", ...
Please give me some idea or some help,
Thank you very much
You would have to set multivalued field extractions for your data.
Using transforms (example with almost same use-case as yours)
If you're using the
rex command to extract the TAG_NAME fields, be sure to add the
max_match=0 option to tell Splunk to return all instances of the field.
If you're extracting the field some other way, please explain so we can help you.