Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract two fields with the same field name from a multiline event?

stevepraz
Path Finder
‎04-17-2015 05:45 AM

Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the Journal field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.

Here is a sample of the data:

SevReq=0
Ticket=NoTicket
Type=1
DataCenter=dc1
    State=Closed
Journal=2015/04/09 21:39:15 Alert acknowledged by user1. 
Journal=2015/04/09 22:47:30 Alert Closed by user2.

END
Here is my extraction that works for the first line:

Journal=(?P.*)

Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

View solution in original post

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:31 AM

You can set max_match = 0 to retrieve more than one match of your capture group: rex reference

Reply
Solved! Jump to solution

gwilliams1_2
Engager
‎10-10-2017 12:24 PM

how do you get this to work with field extractions though?

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:32 AM

Ah, stephane_cyrille was faster 🙂

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-17-2015 07:47 AM

You can just vote when your agree. I like your speed jeffland......

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 08:11 AM

I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...