Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract two fields with the same field name from a multiline event?

stevepraz
Path Finder
‎04-17-2015 05:45 AM

Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the Journal field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.

Here is a sample of the data:

SevReq=0
Ticket=NoTicket
Type=1
DataCenter=dc1
    State=Closed
Journal=2015/04/09 21:39:15 Alert acknowledged by user1. 
Journal=2015/04/09 22:47:30 Alert Closed by user2.

END
Here is my extraction that works for the first line:

Journal=(?P.*)

Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

View solution in original post

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:31 AM

You can set max_match = 0 to retrieve more than one match of your capture group: rex reference

Reply
Solved! Jump to solution

gwilliams1_2
Engager
‎10-10-2017 12:24 PM

how do you get this to work with field extractions though?

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:32 AM

Ah, stephane_cyrille was faster 🙂

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-17-2015 07:47 AM

You can just vote when your agree. I like your speed jeffland......

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 08:11 AM

I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...