- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple values per key in one record
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I have records with multiple k/v pairs with the same keyname, can I parse that through Splunk search language or by massaging the confs so that each k/v pair is reflected in the results of searches against it?
For instance, assuming these records are alone in their index:
3/30/2011 04:53:22 index=Org_Personnel Name=Herbert Name=Yancey Name=Bartleby Department=Acquisitions
3/30/2011 04:53:22 index=Org_Personnel Name=Carol Name=Cyril Name=Lana Name=Mallory Department=IT
(the second line is to illustrate that number of kv pairs can vary from one record to the next)
Now my simple search:
index=Org_Personnel |stats count(name)
How would I make that return "7" instead of "2" as it would without modification?
Thank you in advance.
-s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blurblebot,
You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:
## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype
## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blurblebot,
You can do this via props/transforms like so. The trick is to use MV_ADD http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf:
## props.conf
[<your_sourcetype>]
REPORT-name_for_your_sourcetype = name_for_your_sourcetype
## transforms.conf
[name_for_your_sourcetype]
REGEX = Name=(\S+)
FORMAT = name::$1
MV_ADD = True
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Small capitalization correction on your answer:
FORMAT = Name::$1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beauty. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You beat me to it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry about the last title. That was bad form.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
