Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- table operation is showing only top record
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a bash script which list the Application name and its version as follows in a file which is indexed by Splunk and a single Splunk record is showing as follows:
Application = security, Version = 7.33
Application = sjosd, Version = 7.33
Application = staccds, Version = NA
Application = staccdsnew, Version = NA
Using the table option as follows in the search query, only the top record is listing in the table
my search | table Application Version
e.g.
Security 7.33
Rest of the records are not listing the table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say "a single Splunk record" is showing this behavior. I take that to mean your input is being parsed as a single event.
The default way that Splunk parses key value pairs in an event, is that the first found value for a given key (field) is kept and subsequent values are discarded. see MV_ADD in transforms.conf. This is likely the source of the behavior you're seeing.
To solve this, there are a few options with differing trade offs, think about what questions you're wanting to ask Splunk. The quickest to do is to explicitly call the extract command in your search, setting mv_add to true. The second easies is to setup appropriate props.conf and transforms.conf on your search head to set MV_ADD to true for these events so at search time no explicit extract call is needed. The third, which would require re-indexing, would be to setup props.conf on your indexer / heavy forwarder to break this event into multiple events at parse/index time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say "a single Splunk record" is showing this behavior. I take that to mean your input is being parsed as a single event.
The default way that Splunk parses key value pairs in an event, is that the first found value for a given key (field) is kept and subsequent values are discarded. see MV_ADD in transforms.conf. This is likely the source of the behavior you're seeing.
To solve this, there are a few options with differing trade offs, think about what questions you're wanting to ask Splunk. The quickest to do is to explicitly call the extract command in your search, setting mv_add to true. The second easies is to setup appropriate props.conf and transforms.conf on your search head to set MV_ADD to true for these events so at search time no explicit extract call is needed. The third, which would require re-indexing, would be to setup props.conf on your indexer / heavy forwarder to break this event into multiple events at parse/index time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Acharlieh!
I did't had the Splunk server access to do the modifications. So, in my bash script, i added date command to display date in front of each record. This made Splunk to read each record as a single event.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
