Splunk Search

Multi-line, Multi-value Key Extraction Issue

rturk
Builder

Hello Splunkers 🙂

I'm trying to perform some field extractions in a log similar to the one below:

29/02/2012 16:00 - Printer Usage Report
Printer 1: Canon (123)
Printer 2: Brother (456)
Printer 3: Xerox (789)
Printer 4: Epson (012)
Printer 5: HP (345)
**** END REPORT ****

From this I'm looking for Splunk to extract the 5 values for the field "printer" as well as the values in the parentheses into a "toner_level" field. All from a single event.

What should be my approach here? I've been looking at the various doco (props, transforms, fields) but can't really make any headway...

Any help would be greatly appreciated!

1 Solution

_d_
Splunk Employee
Splunk Employee

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

_d_
Splunk Employee
Splunk Employee

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

rturk
Builder

Thanks d, that's definitely put me on the right path!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...