Splunk Search
Highlighted

In Extract Fields: how can you extract Multivalue Field using Regex Code?

Path Finder

So I have this:

                    01010101 01/02/2015 4200000  U-55555555-0000  1.00 
               Q CC                100 Random Text with numbers 676
               R BB                2 Another Random Text Message 23$kjaldsf@@

      01010101 01/02/2015 4200000  U-55555555-0000  1.00 
value 1 ==>(Q) CC                100 Random Text with numbers 676
value 2 ==>(R) BB                2 Another Random Text Message 23$kjaldsf@@

I can extract both fields using this in search Rex command index search ....| rex field=raw "\s(?[A-z])\s"_
returns the multivalue field i want.
However if i use the same regex during Extract field, it only takes the first value "Q" not the second one. So how can i extract multivalue field using Extract Field option. Let me know if that is even possible, if it is please let me know how?

this is how i wanted it to be

otherField       WantedField        Date                   AnotherField              AnotherMultiValueField ....etc
01010101                 Q          01/02/2015              U-5555555-0000                        CC
                         R                                                                        BB 
Tags (2)
0 Karma
Highlighted

Re: In Extract Fields: how can you extract Multivalue Field using Regex Code?

Path Finder

I was able to find out the answer, it can be done in Tranforms.config or the rex pipe in search head.

View solution in original post

0 Karma