Splunk Search

Multi-line, Multi-value Key Extraction Issue

rturk
Builder

Hello Splunkers 🙂

I'm trying to perform some field extractions in a log similar to the one below:

29/02/2012 16:00 - Printer Usage Report
Printer 1: Canon (123)
Printer 2: Brother (456)
Printer 3: Xerox (789)
Printer 4: Epson (012)
Printer 5: HP (345)
**** END REPORT ****

From this I'm looking for Splunk to extract the 5 values for the field "printer" as well as the values in the parentheses into a "toner_level" field. All from a single event.

What should be my approach here? I've been looking at the various doco (props, transforms, fields) but can't really make any headway...

Any help would be greatly appreciated!

1 Solution

_d_
Splunk Employee
Splunk Employee

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

_d_
Splunk Employee
Splunk Employee

You can do it two ways.

1.From Search Bar:

... | rex max_match=10 "(?i)printer\s\d+:\s(?<printer>\w+)\s+\((?<tonner_level>\d+)\)"

2.You can persist extractions using props.conf and transforms.conf combination:

props.conf

[my_sourcetype]
REPORT-my_report = report_mv

transforms.conf

[report_mv]
REGEX = (?i)printer\s+\d+:\s(\w+)\s+\((\d+)\)
FORMAT = printer::$1 toner_level::$2
MV_ADD = true

Notice the MV_ADD attribute in transforms.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

rturk
Builder

Thanks d, that's definitely put me on the right path!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...