Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Multi-line, Multi-value Key Extraction Issue

rturk
Builder
‎03-01-2012 12:19 AM

Hello Splunkers 🙂

I'm trying to perform some field extractions in a log similar to the one below:

29/02/2012 16:00 - Printer Usage Report
Printer 1: Canon (123)
Printer 2: Brother (456)
Printer 3: Xerox (789)
Printer 4: Epson (012)
Printer 5: HP (345)
**** END REPORT ****

From this I'm looking for Splunk to extract the 5 values for the field "printer" as well as the values in the parentheses into a "toner_level" field. All from a single event.

What should be my approach here? I've been looking at the various doco (props, transforms, fields) but can't really make any headway...

Any help would be greatly appreciated!

Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎03-01-2012 10:21 AM

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎03-01-2012 10:21 AM

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

rturk
Builder
‎03-01-2012 08:08 PM

Thanks d, that's definitely put me on the right path!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...