Re: Why are we only able to extract the first valu...

varunawasthi9 · ‎06-17-2019

Hi,

(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results-
only 1 result or group of results with comma separated.
How do I retrieve all values when I call the file to the table.

Thanks

woodcock · ‎06-17-2019

You will have to create your own sourcetype-based field extraction on your search head like this:

props.conf:

[yourSourcetypeHere]
REPORT-CustomKVPs = CustomKVPs
KV_MODE = none

transforms.conf:

[Custom_KVPs]
REGEX = ([^\s=]+)\s*=\s*([^\s=]+)
FORMAT = $1::$2
REPEAT_MATCH = true

woodcock · ‎06-17-2019

Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:

... | makemv delim="," YourFieldCSV

Or this:

... | eval YourNewField = splunk(YourFieldCSV, ",")

varunawasthi9 · ‎06-17-2019

no not in csv, it a set of data in which a particular filed in events is like that

woodcock · ‎06-17-2019

Please try again and have somebody proofread your post. Your problem is unclear.

varunawasthi9 · ‎06-17-2019

eg:

filedaccount = 123456,456789,789789

in same filedaccount= 123456

so when i search or get in table only i get is
1 123456
2 123456

I want like it gets me complete data
1 123456,456789,789789
2 123456

Why are we only able to extract the first value of a comma separated list for a given field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why are we only able to extract the first value of a comma separated list for a given field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem