Hi all,
What would be the best way for Splunk to handle repeating fields in a single event? For instance, one of my logs has a repeating field. For same of demo, let's call it field1. So the log event can have:
field1=123 field1=234
But when Spunk auto-extracts the field/value pair info, it only sees field1=123. What do I need to do to allow it to interpret both values for field1 in that single event. Preferably looking for a way to do this in-line in the search if possible.
Thanks!
Hey,
for inline use, you can append a | extract mv_add=true
- it should extract field values that exist more than once.
For permanent use, you should use a REPORT-
setting in your props.conf
and the MV_ADD = true
setting in the corresponding transform.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Hey,
for inline use, you can append a | extract mv_add=true
- it should extract field values that exist more than once.
For permanent use, you should use a REPORT-
setting in your props.conf
and the MV_ADD = true
setting in the corresponding transform.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Thank you, nice and easy! This did exactly what I was looking for.