Splunk Search

What is the best way to handle repeating fields in a single event?

bcarr12
Path Finder

Hi all,

What would be the best way for Splunk to handle repeating fields in a single event? For instance, one of my logs has a repeating field. For same of demo, let's call it field1. So the log event can have:

field1=123 field1=234

But when Spunk auto-extracts the field/value pair info, it only sees field1=123. What do I need to do to allow it to interpret both values for field1 in that single event. Preferably looking for a way to do this in-line in the search if possible.

Thanks!

0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

0 Karma

xpac
SplunkTrust
SplunkTrust

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma

bcarr12
Path Finder

Thank you, nice and easy! This did exactly what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...