A transaction log format as follows:
------Procedure[xxx]'s input paramaters:
journalNo = 111111
custormerId = 22222
payAccName = test1
payAcct = 12000000312313131
recAccName = name1
recAcct = 795729419
hostCode = 23131
businessCode = CB704
------Procedure[xxx]'s input paramaters:
recAccName = name1
recAcct = 795729419
tranAmt = 40378.00
custormerId = 22222
------Procedure[xxx]'s input paramaters:
recAccName = name2
recAcct = 192723415
tranAmt = 13033.00
custormerId = 22222
------Procedure[xxx]'s output paramaters:
procRetCode = 00000
I extract field of recAccName(field of recAccName contains name1 name2 name3 name4 name5).Field extraction: (?i)\nrecAccName\s=\s(?P<ebank_recAccName>\S+)
.After extract,field of ebank_recAccName only have name1 name2 name4 name5.Why?
[ebankraw]
SHOULD_LINEMERGE = False
KV_MODE = none
TIME_PREFIX = \[
TIME_FORMAT = %y-%m-%d %H:%M:%S:%3N
TZ =Asia/Shanghai
NO_BINARY_CHECK = true
invalid_cause = archive
unarchive_cmd = _auto
CHARSET = GB2312
Yes,there are more rows in my events,with recAccName = name3 name4 name5 name6 name7 etc.It's just a sample.
Change
KV_MODE = none
to:
KV_MODE = auto
And Splunk should extract the field automatically.
Not sure what you are trying to accomplish either, but it seems that every ------Procedure[xxx]'s input paramaters: is its own event. Why not use BREAK_ONLY_BEFORE = -{6}Procedure? Since everything seem to be in key=value splunk should auto-extract. Which should get around haveing to use MV_ADD=true.
Your sample only contains name1 and name2. Are you saying that there are more rows in your events, with other recAccName = xxx
lines?
Not really sure about what you're trying to accomplish, but have you looked at MV_ADD=true in transforms.conf (called from props.conf)?
/k
Your sample data does not include the event containing "name3" so it's hard to say what goes wrong there...
You mean you found value "交易3" was lost in the multi valued field?
Could you post your props/transforms?