Solved: Re: What is the best way to handle repeating field...

bcarr12 · ‎05-15-2018

Hi all,

What would be the best way for Splunk to handle repeating fields in a single event? For instance, one of my logs has a repeating field. For same of demo, let's call it field1. So the log event can have:

field1=123 field1=234

But when Spunk auto-extracts the field/value pair info, it only sees field1=123. What do I need to do to allow it to interpret both values for field1 in that single event. Preferably looking for a way to do this in-line in the search if possible.

Thanks!

xpac · ‎05-15-2018

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac · ‎05-15-2018

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

bcarr12 · ‎05-15-2018

Thank you, nice and easy! This did exactly what I was looking for.

What is the best way to handle repeating fields in a single event?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!