Hi,
(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results- only 1 result or group of results with comma separated. How do I retrieve all values when I call the file to the table.
Thanks
You will have to create your own sourcetype-based field extraction on your search head like this:
props.conf:
[yourSourcetypeHere] REPORT-CustomKVPs = CustomKVPs KV_MODE = none
transforms.conf:
[Custom_KVPs] REGEX = ([^\s=]+)\s*=\s*([^\s=]+) FORMAT = $1::$2 REPEAT_MATCH = true
Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:
... | makemv delim="," YourFieldCSV
Or this:
... | eval YourNewField = splunk(YourFieldCSV, ",")
no not in csv, it a set of data in which a particular filed in events is like that
Please try again and have somebody proofread your post. Your problem is unclear.
eg:
filedaccount = 123456,456789,789789
in same filedaccount= 123456
so when i search or get in table only i get is 1 123456 2 123456
I want like it gets me complete data 1 123456,456789,789789 2 123456
