Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple values per key in one record

blurblebot
Communicator
‎03-30-2011 03:32 PM

If I have records with multiple k/v pairs with the same keyname, can I parse that through Splunk search language or by massaging the confs so that each k/v pair is reflected in the results of searches against it?

For instance, assuming these records are alone in their index:

3/30/2011 04:53:22 index=Org_Personnel Name=Herbert Name=Yancey Name=Bartleby Department=Acquisitions 

3/30/2011 04:53:22 index=Org_Personnel Name=Carol Name=Cyril Name=Lana Name=Mallory Department=IT

(the second line is to illustrate that number of kv pairs can vary from one record to the next)

Now my simple search:

index=Org_Personnel |stats count(name)

How would I make that return "7" instead of "2" as it would without modification?

Thank you in advance.

-s

Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎03-30-2011 03:50 PM

Blurblebot,

You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:

## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype

## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True

View solution in original post

Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎03-30-2011 03:50 PM

Blurblebot,

You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:

## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype

## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True
Reply
Solved! Jump to solution

blurblebot
Communicator
‎08-12-2011 10:36 AM

Small capitalization correction on your answer:

FORMAT = Name::$1

Reply
Solved! Jump to solution

blurblebot
Communicator
‎03-30-2011 03:55 PM

Beauty. Thanks!

Reply
Solved! Jump to solution

ftk
Motivator
‎03-30-2011 03:52 PM

You beat me to it!

0 Karma
Reply
Solved! Jump to solution

blurblebot
Communicator
‎03-30-2011 03:33 PM

Sorry about the last title. That was bad form.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...