Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Mixed Multivalued Field Extraction

brianjbrady
Engager
‎10-08-2013 04:30 PM

I am having some issues pulling fields out of some particularly strange logging statements, kind of a mix of multivalued and traditional.

For Example:

10/08/2013 23:00:00 INFO:   |   INF|SVC|TASK|1233212123|something happened when ip=128 and stranger=asdf

I need to pull out the following fields:

Field 1: field1=INF

Field 2: field2=SVC

Field 3: field3=TASK

Field 4: field4=1233212123

Field 5: ip=128

Field6: stranger=asdf

Thoughts???

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-09-2013 02:05 AM

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

View solution in original post

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-09-2013 12:30 PM

you're welcome. 🙂

0 Karma
Reply
Solved! Jump to solution

brianjbrady
Engager
‎10-09-2013 12:03 PM

Worked, Awesome.
Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-09-2013 02:05 AM

I don't see the multivaluedness here. From your description, it seems like you just want to extract some fields. Some are pipe-delimited, others are key=value.

Assuming that the event format does not change, I would probably use an EXTRACT in props.conf for the pipe-delimited stuff, and let splunk handle the key=value part automatically.

props.conf

[your sourcetype here]
EXTRACT-blah = ^[^\|]+\|\s+(?<field1>[^\|]+)\|(?<field2>[^\|]+)\|(?<field3>[^\|]+)\|(?<field4>[^\|]+)\|

Hope this helps,

K

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-08-2013 05:02 PM

Which field contains ip and stranger? If the other fields exist,then the remaining text must be in some other field.
Or, are you saying that none of the fields are extracted and you need to use | as a delimiter with a multi extraction from the last field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...