Splunk Search

Why are we only able to extract the first value of a comma separated list for a given field?

varunawasthi9
New Member

Hi,

(In Splunk) I am only able to extract the first value of a comma-separated list for a given field in which the file has results-
only 1 result or group of results with comma separated.
How do I retrieve all values when I call the file to the table.

Thanks

0 Karma

woodcock
Esteemed Legend

You will have to create your own sourcetype-based field extraction on your search head like this:

props.conf:

[yourSourcetypeHere]
REPORT-CustomKVPs = CustomKVPs
KV_MODE = none

transforms.conf:

[Custom_KVPs]
REGEX = ([^\s=]+)\s*=\s*([^\s=]+)
FORMAT = $1::$2
REPEAT_MATCH = true
0 Karma

woodcock
Esteemed Legend

Perhaps you are trying to splunk a field which is a CSV into multiple values; if so, try this:

... | makemv delim="," YourFieldCSV

Or this:

... | eval YourNewField = splunk(YourFieldCSV, ",")
0 Karma

varunawasthi9
New Member

no not in csv, it a set of data in which a particular filed in events is like that

0 Karma

woodcock
Esteemed Legend

Please try again and have somebody proofread your post. Your problem is unclear.

0 Karma

varunawasthi9
New Member

eg:

filedaccount = 123456,456789,789789

in same filedaccount= 123456

so when i search or get in table only i get is
1 123456
2 123456

I want like it gets me complete data
1 123456,456789,789789
2 123456

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...