Splunk Search

dealing with repeated fields in one event

haobin
Explorer

Here is my case. I have some events which are simply like below.

event1. epochtime=1282182111 type=type1 value=value1 type=type3 value=value3

event2. epochtime=1282182111 type=type2 value=value4 type=type3 value=value5 type=type4 value=value6

It seems like

... | multikv fields type value

not working for my purpose.

My goal is something like to query type="type3" will get both events and do count(type) from these two events will get 5. Is it possible to do that either by setting configuration or by query? Thanks.

Stephen_Sorkin
Splunk Employee
Splunk Employee

You can get this behavior by setting up a custom multivalued extraction for the "type" field. In props.conf set (for your sourcetype or source):

REPORT-type = mv-type

In transforms.conf set:

[mv-type]
REGEX = type=(?<type>\S+)
MV_ADD = true

haobin
Explorer

This is exactly what i want.
Thanks, Mr. Sorkin.
By the way, I've heard your speech in Taiwan this June.
It's gorgeous and impressive.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...