Splunk Search

dealing with repeated fields in one event

Explorer

Here is my case. I have some events which are simply like below.

event1. epochtime=1282182111 type=type1 value=value1 type=type3 value=value3

event2. epochtime=1282182111 type=type2 value=value4 type=type3 value=value5 type=type4 value=value6

It seems like

... | multikv fields type value

not working for my purpose.

My goal is something like to query type="type3" will get both events and do count(type) from these two events will get 5. Is it possible to do that either by setting configuration or by query? Thanks.

Splunk Employee
Splunk Employee

You can get this behavior by setting up a custom multivalued extraction for the "type" field. In props.conf set (for your sourcetype or source):

REPORT-type = mv-type

In transforms.conf set:

[mv-type]
REGEX = type=(?<type>\S+)
MV_ADD = true

Explorer

This is exactly what i want.
Thanks, Mr. Sorkin.
By the way, I've heard your speech in Taiwan this June.
It's gorgeous and impressive.