Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract two fields with the same field name from a multiline event?

stevepraz
Path Finder
‎04-17-2015 05:45 AM

Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the Journal field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.

Here is a sample of the data:

SevReq=0
Ticket=NoTicket
Type=1
DataCenter=dc1
    State=Closed
Journal=2015/04/09 21:39:15 Alert acknowledged by user1. 
Journal=2015/04/09 22:47:30 Alert Closed by user2.

END
Here is my extraction that works for the first line:

Journal=(?P.*)

Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

View solution in original post

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:31 AM

You can set max_match = 0 to retrieve more than one match of your capture group: rex reference

Reply
Solved! Jump to solution

gwilliams1_2
Engager
‎10-10-2017 12:24 PM

how do you get this to work with field extractions though?

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:32 AM

Ah, stephane_cyrille was faster 🙂

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-17-2015 07:47 AM

You can just vote when your agree. I like your speed jeffland......

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 08:11 AM

I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...