Solved: Re: Multiple values per key in one record

blurblebot · ‎03-30-2011

If I have records with multiple k/v pairs with the same keyname, can I parse that through Splunk search language or by massaging the confs so that each k/v pair is reflected in the results of searches against it?

For instance, assuming these records are alone in their index:

3/30/2011 04:53:22 index=Org_Personnel Name=Herbert Name=Yancey Name=Bartleby Department=Acquisitions 

3/30/2011 04:53:22 index=Org_Personnel Name=Carol Name=Cyril Name=Lana Name=Mallory Department=IT

(the second line is to illustrate that number of kv pairs can vary from one record to the next)

Now my simple search:

index=Org_Personnel |stats count(name)

How would I make that return "7" instead of "2" as it would without modification?

Thank you in advance.

-s

hazekamp · ‎03-30-2011

Blurblebot,

You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:

## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype

## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True

View solution in original post

hazekamp · ‎03-30-2011

Blurblebot,

You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:

## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype

## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True

blurblebot · ‎08-12-2011

Small capitalization correction on your answer:

FORMAT = Name::$1

blurblebot · ‎03-30-2011

Beauty. Thanks!

ftk · ‎03-30-2011

You beat me to it!

blurblebot · ‎03-30-2011

Sorry about the last title. That was bad form.

Multiple values per key in one record

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk