Splunk Search

Field extraction issue

snowye
Engager

A transaction log format as follows:

------Procedure[xxx]'s input paramaters:
journalNo = 111111
custormerId = 22222
payAccName = test1
payAcct = 12000000312313131
recAccName = name1
recAcct = 795729419
hostCode = 23131
businessCode = CB704
------Procedure[xxx]'s input paramaters:
recAccName = name1
recAcct = 795729419
tranAmt = 40378.00
custormerId = 22222
------Procedure[xxx]'s input paramaters:
recAccName = name2
recAcct = 192723415
tranAmt = 13033.00
custormerId = 22222
------Procedure[xxx]'s output paramaters:
procRetCode = 00000

I extract field of recAccName(field of recAccName contains name1 name2 name3 name4 name5).Field extraction: (?i)\nrecAccName\s=\s(?P<ebank_recAccName>\S+) .After extract,field of ebank_recAccName only have name1 name2 name4 name5.Why?

[ebankraw]
SHOULD_LINEMERGE = False
KV_MODE = none
TIME_PREFIX = \[
TIME_FORMAT = %y-%m-%d %H:%M:%S:%3N
TZ =Asia/Shanghai
NO_BINARY_CHECK = true
invalid_cause = archive
unarchive_cmd = _auto
CHARSET = GB2312

Yes,there are more rows in my events,with recAccName = name3 name4 name5 name6 name7 etc.It's just a sample.

Tags (1)
0 Karma

mloven_splunk
Splunk Employee
Splunk Employee

Change

KV_MODE = none

to:

KV_MODE = auto

And Splunk should extract the field automatically.

0 Karma

bmacias84
Champion

Not sure what you are trying to accomplish either, but it seems that every ------Procedure[xxx]'s input paramaters: is its own event. Why not use BREAK_ONLY_BEFORE = -{6}Procedure? Since everything seem to be in key=value splunk should auto-extract. Which should get around haveing to use MV_ADD=true.

kristian_kolb
Ultra Champion

Your sample only contains name1 and name2. Are you saying that there are more rows in your events, with other recAccName = xxx lines?

Not really sure about what you're trying to accomplish, but have you looked at MV_ADD=true in transforms.conf (called from props.conf)?

http://docs.splunk.com/Documentation/Splunk/5.0.1/Knowledge/Createandmaintainsearch-timefieldextract...

/k

Ayn
Legend

Your sample data does not include the event containing "name3" so it's hard to say what goes wrong there...

0 Karma

sonicant
Path Finder

You mean you found value "交易3" was lost in the multi valued field?

Drainy
Champion

Could you post your props/transforms?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...