Solved: one event one filed multi value

crazyeva · ‎08-20-2012

hello
I have my log form as multi lines breaked with an empty line
thanks to ziegfried， I have devided each event successfully with his help
now I want to extract a field, in each event, may covers more than one value. 1,2 maybe 3 of them, same REX.

I find slpunk can pick out the first value which match the REX express, the others are dropped.
Can splunk extract multi values in one event with one REGEX or one FIELD name?
Thank you!

gkanapathy · ‎08-20-2012

You should look at the max_match parameter of the rex command.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

View solution in original post

crazyeva · ‎08-21-2013

Thank you very much

kristian_kolb · ‎08-21-2013

see example in a previous post.

http://answers.splunk.com/answers/45116/xml-field-extraction?page=1&focusedAnswerId=45126#45126

Hope this helps,

K

0waste_splunk · ‎08-19-2013

@kristian.kolb.

can you please explain in detail with some example?

thanks

gkanapathy · ‎08-20-2012

You should look at the max_match parameter of the rex command.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

crazyeva · ‎08-19-2013

Thank you very mutch.
It is realy a long cause to study on splunk.

Ayn · ‎08-20-2012

Check kristian.kolb's comment.

crazyeva · ‎08-20-2012

is there any way for pre-extraction
like some parameters in props.conf or transforms.conf?

kristian_kolb · ‎08-20-2012

Check out how to make multi-valued extraction through MV_ADD in transforms.conf

one event one filed multi value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!