I have data in the following format:
When I search for GenericHostName1, the only associated value with that field is 'vm1' instead of the whole list of VMs. Splunk is only associating the first value in the comma separated list and I want all of them. How would I go about making a search that will return all of the values in the list and not just the first one? Would it help if I were to change the way my data is originally created?
Thanks in advanced,
It will depend on how the data is onboarded. Can you please share the props.conf settings for that sourcetype?
With a search time field extraction for the given information, you should be able to use something like the following:
... | rex field=yourfield "=(?P<values>.*)" | rex field=values max_match=0 "(?P<hostname>\w+),?" | ...
This is making some assumptions that may not work in your environment, but without knowing more about it, this is what I could come up with. It will result in a multi-value field called
hostname that will contain the set of hostnames in the list.
@morenodelgad1, automatic KV mode performs Search Time field discovery based on Key Value pairs separated by equal to sign (
= ). Comma (
, ) is a major segment-er, which means value will not be identified after encountering comma.
In your case you can create your own Field Extraction using Interactive Field Extraction in Splunk Web from
Settings > Fields (Knowledge Objects) > Field extractions
For example for extraction field
GenericHostName1 you can use your own Regular Expression i.e.
GenericHostName1=(?<GenericHostName1>[^;]+) and so on. You can test your Regular Expression/s on
regex101.com or let Splunk generate required Regular Expression for you. If you have not used Splunk Interactive Field Extraction before, you can try out following Step By Step documentation: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
Also you can use rex command in your SPL to test out the Regular Expression in Splunk with your data rather than testing mock/sample data in regex101.com. Following is the run anywhere search for you to try/test out:
| makeresults | eval _raw="GenericHostName1=vm1,vm2,vm3,vm4;" | rex "GenericHostName1=(?<GenericHostName1>[^;]+)" | makemv GenericHostName1 delim=","
PS: I have used makemv command to convert command separated values to multi-valued field. However you can ignore if you require all values as Single Value (separated by comma as in your data example).
Thank you for your response. I was initially told by a teammate that this would easily be handled by Splunk but we quickly realized that it was not. Going to try this and I will update with my results and findings.
While I know field extractions will work, you can try out and confirm. If something does not make sure you unaccept this answer so that it flags for other community members as an unanswered question.
There would be a way for you change Splunk’s event segmentation as per your needs and maybe that is what your colleague referred to. However you should weigh in you value (correct field extraction) vs cost (performance). There could be a possibility some other fields pick up additional content as well. So I feel proper field extraction as per your needs is a better option and has better control.