What would be the best way for Splunk to handle repeating fields in a single event? For instance, one of my logs has a repeating field. For same of demo, let's call it field1. So the log event can have:
But when Spunk auto-extracts the field/value pair info, it only sees field1=123. What do I need to do to allow it to interpret both values for field1 in that single event. Preferably looking for a way to do this in-line in the search if possible.
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂