Solved: normalising duplicate multivalue field

ytl · ‎04-14-2011

so i have numerous field extractions in place. unfortunately due to the number of regex's there are some events that match two field extractions. the issue is that i have the same field name defined in both extractions.

this isn't a problem as splunk is nice enough to create a multivalue field for me automatically. it just so happens that the value of that field is the same for both entries!

is there a way i can reduce/normalise this so it doesn't show twice? (without reconstructing my regex's)

gkanapathy · ‎04-14-2011

There really isn't an easy way globally.

In general, you might look at:

Using app namespaces to control when particular extractions are performed. If some are only needed in certain contexts, then perhaps these contexts could be separated out into their own app to avoid this kind of conflict
Making the regexes more precise and/or combining multiple regexes into a single one that retrieves multiple fields

View solution in original post

gkanapathy · ‎04-14-2011

There really isn't an easy way globally.

In general, you might look at:

Using app namespaces to control when particular extractions are performed. If some are only needed in certain contexts, then perhaps these contexts could be separated out into their own app to avoid this kind of conflict
Making the regexes more precise and/or combining multiple regexes into a single one that retrieves multiple fields

ytl · ‎04-14-2011

oh well... back to restructuring my regex's i guess... just a thought, when i do a top on such a field - would it double count? cheers,

normalising duplicate multivalue field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life