Re: Why are we only able to extract the first valu...

varunawasthi9 · ‎06-17-2019

Hi,

(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results-
only 1 result or group of results with comma separated.
How do I retrieve all values when I call the file to the table.

Thanks

woodcock · ‎06-17-2019

You will have to create your own sourcetype-based field extraction on your search head like this:

props.conf:

[yourSourcetypeHere]
REPORT-CustomKVPs = CustomKVPs
KV_MODE = none

transforms.conf:

[Custom_KVPs]
REGEX = ([^\s=]+)\s*=\s*([^\s=]+)
FORMAT = $1::$2
REPEAT_MATCH = true

woodcock · ‎06-17-2019

Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:

... | makemv delim="," YourFieldCSV

Or this:

... | eval YourNewField = splunk(YourFieldCSV, ",")

varunawasthi9 · ‎06-17-2019

no not in csv, it a set of data in which a particular filed in events is like that

woodcock · ‎06-17-2019

Please try again and have somebody proofread your post. Your problem is unclear.

varunawasthi9 · ‎06-17-2019

eg:

filedaccount = 123456,456789,789789

in same filedaccount= 123456

so when i search or get in table only i get is
1 123456
2 123456

I want like it gets me complete data
1 123456,456789,789789
2 123456

Why are we only able to extract the first value of a comma separated list for a given field?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Why are we only able to extract the first value of a comma separated list for a given field?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I