I get the event,
IP="127.0.0.1",..., TAG_NAME="GRP_ROOT_MGT", TAG_NAME="GRP_IS_MM_MGT", TAG_NAME="GRP_RB_NN_MGT", BU_NAME="BU_RB_NN", ...
The problem is that, one field has multiple values and Splunk detects just the first "TAG_NAME" and ignores the second and third one. However, I need them all. How can I get all of them?
I want something like:
... TAG1="xxx", TAG2="xxx", TAG3="xxx", ...
Please give me some idea or some help,
Thank you very much
If you're using the
rex command to extract the TAGNAME fields, be sure to add the `maxmatch=0` option to tell Splunk to return all instances of the field.
If you're extracting the field some other way, please explain so we can help you.
You would have to set multivalued field extractions for your data.
Using transforms (example with almost same use-case as yours)