Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract two fields with the same field name from a multiline event?

stevepraz
Path Finder
‎04-17-2015 05:45 AM

Trying to get some data from our alerting/event system into Splunk. There is a report with key value pairs that already existed so I attempted to use that. I am running into an issue with the Journal field, which can occur multiple times if the event has been updated frequently. I have an extraction that works for the first one, but no way to get any additional ones if they occur.

Here is a sample of the data:

SevReq=0
Ticket=NoTicket
Type=1
DataCenter=dc1
    State=Closed
Journal=2015/04/09 21:39:15 Alert acknowledged by user1. 
Journal=2015/04/09 22:47:30 Alert Closed by user2.

END
Here is my extraction that works for the first line:

Journal=(?P.*)

Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....

View solution in original post

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:31 AM

You can set max_match = 0 to retrieve more than one match of your capture group: rex reference

Reply
Solved! Jump to solution

gwilliams1_2
Engager
‎10-10-2017 12:24 PM

how do you get this to work with field extractions though?

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 06:32 AM

Ah, stephane_cyrille was faster 🙂

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-17-2015 07:47 AM

You can just vote when your agree. I like your speed jeffland......

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-17-2015 08:11 AM

I know... You simply posted while I was writing my answer (which took some time as I got a little sidetracked trying stuff on regex101.com) 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-17-2015 06:22 AM

Hi, If you are using rex command, try this:

.......| rex max_match=0 field=.....
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...