Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are we only able to extract the first value of a comma separated list for a given field?

varunawasthi9
New Member
‎06-17-2019 09:42 AM

Hi,

(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results-
only 1 result or group of results with comma separated.
How do I retrieve all values when I call the file to the table.

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 12:48 PM

You will have to create your own sourcetype-based field extraction on your search head like this:

props.conf:

[yourSourcetypeHere]
REPORT-CustomKVPs = CustomKVPs
KV_MODE = none

transforms.conf:

[Custom_KVPs]
REGEX = ([^\s=]+)\s*=\s*([^\s=]+)
FORMAT = $1::$2
REPEAT_MATCH = true
0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 10:08 AM

Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:

... | makemv delim="," YourFieldCSV

Or this:

... | eval YourNewField = splunk(YourFieldCSV, ",")
0 Karma
Reply

varunawasthi9
New Member
‎06-17-2019 11:51 AM

no not in csv, it a set of data in which a particular filed in events is like that

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2019 10:06 AM

Please try again and have somebody proofread your post. Your problem is unclear.

0 Karma
Reply

varunawasthi9
New Member
‎06-17-2019 12:30 PM

eg:

filedaccount = 123456,456789,789789

in same filedaccount= 123456

so when i search or get in table only i get is
1 123456
2 123456

I want like it gets me complete data
1 123456,456789,789789
2 123456

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...