Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

dealing with repeated fields in one event

haobin
Explorer
‎08-19-2010 02:58 AM

Here is my case. I have some events which are simply like below.

event1. epochtime=1282182111 type=type1 value=value1 type=type3 value=value3

event2. epochtime=1282182111 type=type2 value=value4 type=type3 value=value5 type=type4 value=value6

It seems like

... | multikv fields type value

not working for my purpose.

My goal is something like to query type="type3" will get both events and do count(type) from these two events will get 5. Is it possible to do that either by setting configuration or by query? Thanks.

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 03:06 AM

You can get this behavior by setting up a custom multivalued extraction for the "type" field. In props.conf set (for your sourcetype or source):

REPORT-type = mv-type

In transforms.conf set:

[mv-type]
REGEX = type=(?<type>\S+)
MV_ADD = true
Reply

haobin
Explorer
‎08-19-2010 04:16 AM

This is exactly what i want.
Thanks, Mr. Sorkin.
By the way, I've heard your speech in Taiwan this June.
It's gorgeous and impressive.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...