- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract multiple values from a single field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract multiple values from a single field?
I'm trying to extract multiple values from a single field. I noticed that Splunk field extractor will only extract on value from each field, even if there are multiple values within that field.
Field 1:
INFO 2015-02-23 16:28:45,514 spatchMessageInspector fterReceiveRequest - Request Record : <CalculateTaxRequest>
<Redacted>
<Redacted>
INFO 2015-02-23 16:28:45,514 spatchMessageInspector fterReceiveResponse - Request Record : <CalculateTaxResponse>
<Redacted>
<Redacted>
INFO 2015-02-23 16:28:22,953 spatchMessageInspector fterReceiveRequest - Request Record : <LookupTaxableAddressRequest
I am trying to extract 'CalculateTaxRequest', 'CalculateTaxResponse', and 'LookupTaxableAddress' but it will only extract the first value of 'CalculateTaxRequest' then go to the next field and only extract one value from it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't use the Field Extractor to do this, but you can do it manually by editing props.conf. Field extraction happens at search time, so if you have a search head, edit the props.conf there; otherwise, do it on the indexer(s). Here is what you need, more or less:
[yoursourcetypehere]
EXTRACT-xyz1=Request Record\s*:\s*(?\<\S+?\>)
Given that you have redacted some data (understandably), my regular expressions may not be accurate. But you get the idea.
Now, my solution assumes that each line beginning with INFO is a separate event, and I think that is the best. BUT if all of this data is indexed as a single event, take a look at this answer for
information about multi-valued field extraction
Or see @KindaWorking's answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WPreston helped me solve this in one of his comments here: http://answers.splunk.com/answers/214368/how-to-extract-all-values-for-a-single-field-using.html
A quick quote from him:
To extract multiple values of the same field from a single event, you need to add your extraction to transforms.conf and add MV_ADD = True, then either create a new report stanza or add to an existing report stanza in props.conf for the host, source, or sourcetype that the field is associated with. For this example, I'll use a sourcetype of 'waterfall':
transforms.conf
[Security_ID_Extraction]
REGEX = Security\sID:\s+(?<SecurityID>.*)\n
MV_ADD = True
props.conf
[waterfall]
REPORT-waterfall_fields = Security_ID_Extraction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
send me your regex or props /transforms.conf data
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
