Splunk Search

Why are we only able to extract the first value of a comma separated list for a given field?

varunawasthi9
New Member

Hi,

(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results-
only 1 result or group of results with comma separated.
How do I retrieve all values when I call the file to the table.

Thanks

0 Karma

woodcock
Esteemed Legend

You will have to create your own sourcetype-based field extraction on your search head like this:

props.conf:

[yourSourcetypeHere]
REPORT-CustomKVPs = CustomKVPs
KV_MODE = none

transforms.conf:

[Custom_KVPs]
REGEX = ([^\s=]+)\s*=\s*([^\s=]+)
FORMAT = $1::$2
REPEAT_MATCH = true
0 Karma

woodcock
Esteemed Legend

Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:

... | makemv delim="," YourFieldCSV

Or this:

... | eval YourNewField = splunk(YourFieldCSV, ",")
0 Karma

varunawasthi9
New Member

no not in csv, it a set of data in which a particular filed in events is like that

0 Karma

woodcock
Esteemed Legend

Please try again and have somebody proofread your post. Your problem is unclear.

0 Karma

varunawasthi9
New Member

eg:

filedaccount = 123456,456789,789789

in same filedaccount= 123456

so when i search or get in table only i get is
1 123456
2 123456

I want like it gets me complete data
1 123456,456789,789789
2 123456

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...