Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to handle repeating fields in a single event?

bcarr12
Path Finder
‎05-15-2018 05:48 AM

Hi all,

What would be the best way for Splunk to handle repeating fields in a single event? For instance, one of my logs has a repeating field. For same of demo, let's call it field1. So the log event can have:

field1=123 field1=234

But when Spunk auto-extracts the field/value pair info, it only sees field1=123. What do I need to do to allow it to interpret both values for field1 in that single event. Preferably looking for a way to do this in-line in the search if possible.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-15-2018 05:55 AM

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-15-2018 05:55 AM

Hey,
for inline use, you can append a | extract mv_add=true - it should extract field values that exist more than once.
For permanent use, you should use a REPORT- setting in your props.conf and the MV_ADD = true setting in the corresponding transform.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Solved! Jump to solution

bcarr12
Path Finder
‎05-15-2018 08:37 AM

Thank you, nice and easy! This did exactly what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...