Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting multiple field values with same field name

splunkingsplun1
Explorer
‎06-01-2014 09:16 AM

Can anyone provide assistance for extracting multiple field values with same field name? My log is something like this:

10:10:34 scan_date="2014-05-24 10:10:34" ip=192.168.1.1 port=445 protocol=tcp results="- NULL sessions are enabled on the remote host " cve=CVE-1999-0503 cve=CVE-1999-0504 cve=CVE-1999-0505 cve=CVE-1999-0506 cve=CVE-2000-0222 cve=CVE-2002-1117 mskb=Q132679 mskb=Q143474 mskb=Q289655

As you can observe I have multiple CVE and MSKB values and Splunk stops after extracting first value. I would like to extract all of them. Any suggestions? Any input would be helpful.

0 Karma
Reply

MuS
Legend
‎06-02-2014 12:10 AM

Hi splunkingsplunker,

have you tried adding MV_ADD in transforms.conf for that sourcetype?

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the 
* newly found value, otherwise the newly found value is discarded.
* Defaults to false

hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...