Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

normalising duplicate multivalue field

ytl
Path Finder
‎04-14-2011 01:07 AM

so i have numerous field extractions in place. unfortunately due to the number of regex's there are some events that match two field extractions. the issue is that i have the same field name defined in both extractions.

this isn't a problem as splunk is nice enough to create a multivalue field for me automatically. it just so happens that the value of that field is the same for both entries!

is there a way i can reduce/normalise this so it doesn't show twice? (without reconstructing my regex's)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-14-2011 04:02 AM

There really isn't an easy way globally.

In general, you might look at:

  • Using app namespaces to control when particular extractions are performed. If some are only needed in certain contexts, then perhaps these contexts could be separated out into their own app to avoid this kind of conflict
  • Making the regexes more precise and/or combining multiple regexes into a single one that retrieves multiple fields

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-14-2011 04:02 AM

There really isn't an easy way globally.

In general, you might look at:

  • Using app namespaces to control when particular extractions are performed. If some are only needed in certain contexts, then perhaps these contexts could be separated out into their own app to avoid this kind of conflict
  • Making the regexes more precise and/or combining multiple regexes into a single one that retrieves multiple fields
0 Karma
Reply
Solved! Jump to solution

ytl
Path Finder
‎04-14-2011 07:21 PM

oh well... back to restructuring my regex's i guess... just a thought, when i do a top on such a field - would it double count? cheers,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...