Splunk Search
Highlighted

How to extract all values from a field with multiple values?

Path Finder

Hello,

I get the event,

IP="127.0.0.1",..., TAG_NAME="GRP_ROOT_MGT", TAG_NAME="GRP_IS_MM_MGT", TAG_NAME="GRP_RB_NN_MGT", BU_NAME="BU_RB_NN", ...

The problem is that, one field has multiple values and Splunk detects just the first "TAG_NAME" and ignores the second and third one. However, I need them all. How can I get all of them?

I want something like:

...
TAG1="xxx",
TAG2="xxx",
TAG3="xxx",
...

Please give me some idea or some help,
Thank you very much

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

SplunkTrust
SplunkTrust

If you're using the rex command to extract the TAGNAME fields, be sure to add the `maxmatch=0` option to tell Splunk to return all instances of the field.

If you're extracting the field some other way, please explain so we can help you.

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to extract all values from a field with multiple values?

Path Finder

it works with the parameter"max_match"
Thank you a lot!

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

Explorer

worked for me with same issue , this should be accepted answer 🙂

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

Esteemed Legend

Please click Accept to close the question.

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

Esteemed Legend

Show us how you are getting the single-value field value.

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

Path Finder

Thank you for replying,
I get from a python script,
now I find a method

0 Karma
Highlighted

Re: How to extract all values from a field with multiple values?

SplunkTrust
SplunkTrust

You would have to set multivalued field extractions for your data.
Using transforms (example with almost same use-case as yours)
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Using fields.conf

http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

0 Karma