Solved: How to extract two fields with the same field name...

stevepraz · ‎04-17-2015

Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the Journal field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.

Here is a sample of the data:

SevReq=0
Ticket=NoTicket
Type=1
DataCenter=dc1
    State=Closed
Journal=2015/04/09 21:39:15 Alert acknowledged by user1. 
Journal=2015/04/09 22:47:30 Alert Closed by user2.

END
Here is my extraction that works for the first line:

Journal=(?P.*)

stephane_cyrill · ‎04-17-2015

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

View solution in original post

jeffland · ‎04-17-2015

You can set max_match = 0 to retrieve more than one match of your capture group: rex reference

gwilliams1_2 · ‎10-10-2017

how do you get this to work with field extractions though?

jeffland · ‎04-17-2015

Ah, stephane_cyrille was faster 🙂

stephane_cyrill · ‎04-17-2015

You can just vote when your agree. I like your speed jeffland......

jeffland · ‎04-17-2015

I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) 🙂

stephane_cyrill · ‎04-17-2015

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

How to extract two fields with the same field name from a multiline event?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes