Multiple field extractions per entry

aaronkorn · ‎01-08-2013

Hello!

We have multiple xml entries that are in the form below to show alerting situations, the name, type, and distribution. These alerts are distributed to different systems as shown below. How can i encapsulate all the available distributions instead of just one when i setup my field extractions? The field extraction works great when there is only one distribution but when it has multiple like the example below we only get the first one, not all of them. Any help would be appreciated!

UPMC_0163_LZ_Proc_High_CM_CPU
Linux OS
y03prd00:LZ
y03prd01:LZ
y03prd02:LZ
y03prd03:LZ
y03prd04:LZ
y03prd05:LZ
y03prd06:LZ
y03prd07:LZ
y03prd08:LZ
y03prd09:LZ
y03prd10:LZ
y03prd11:LZ

kristian_kolb · ‎01-15-2013

I'm guessing you could do this in several ways;

1) through the use of rex in the search pipeline

...| rex  "<dist>(?<dist>[^<]+)</dist>" max_match=0 | ...

2) through props/transforms

props.conf

[your_sourcetype]
REPORT-blah = dist_extract

transforms.conf

[dist_extract]
REGEX=<dist>([^<]+)<
FORMAT = dist::$1
MV_ADD=true

Perhaps also xmlkv can provide multivalued fields, but I have little experience of that particular search command.

Hope this helps,

Kristian

Rob · ‎01-15-2013

How are you trying to extract these fields? Are you looking to field extractions via the search command line or via configuration files?

Multiple field extractions per entry

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!