Solved: Re: How to extract repeated field values in same e...

rajs115 · ‎11-05-2021

Hi Guys, I am new to splunk. I need to run a query to extract the system name value which is repeated twice in the same log event. Logs in one event are: user: user1 system: system1 user:user2 system: system2 output should look like below: output1 output2 system1 system2 cheers.

ITWhisperer · ‎11-05-2021

| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,0)
| eval system2=mvindex(system,1)

View solution in original post

ITWhisperer · ‎11-05-2021

| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,0)
| eval system2=mvindex(system,1)

rajs115 · ‎11-05-2021

@ITWhisperer ,

Logs in one event are:

user: user1

system: system1

user:user2

system: system2

output should look like below:

output1 output2

system1 system2

I tried as you suggested. Not returning any values.

ITWhisperer · ‎11-05-2021

Can you share the raw events in a code block </>

rajs115 · ‎11-05-2021

@ITWhisperer ,

Its working now. Made a slight change from your command. Not sure it its appropriate or not. is there any way we can compare these two values or same or not (if system1=system2)

| rex max_match=2 "system:\s(?<system>[\S]+)"
| eval system1=mvindex(system,-1)
| eval system2=mvindex(system,0)

rajs115 · ‎11-05-2021

Logs in one event are: user: user1 system: system1 user:user2 system: system2 output should look like below: output1 output2 system1 system2

How to extract repeated field values in same event?

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!