Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mixed Multivalued Field Extraction

brianjbrady
Engager
‎10-08-2013 04:30 PM

I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.

For Example:

10/08/2013 23:00:00 INFO:   |   INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf

I need to pull out the following fields:

Field 1: field1=INF

Field 2: field2=SVC

Field 3: field3=TASK

Field 4: field4=1233212123

Field 5: ip=128

Field6: stranger=asdf

Thoughts???

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-09-2013 02:05 AM

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

View solution in original post

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-09-2013 12:30 PM

you're welcome. 🙂

0 Karma
Reply
Solved! Jump to solution

brianjbrady
Engager
‎10-09-2013 12:03 PM

Worked, Awesome.
Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-09-2013 02:05 AM

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-08-2013 05:02 PM

Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...