Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple matches in search-time transforms

pehlke
Splunk Employee
Splunk Employee
‎05-16-2011 08:37 AM

I have syslog-ng statistics logs that look like this:

May 13 09:13:01 s_internal@syslog-ng.example.com syslog-ng[32246]: Log statistics; processed='src.internal(s_local#2)=1', stamp='src.internal(s_local#2)=1305302462', processed='destination(d_splunk_unix)=226159', processed='destination(d_arcsight_ciscopixfile)=525439', processed='destination(d_spooler)=0', processed='destination(d_syslog1)=96361', processed='destination(d_secure)=47174', processed='src.internal(s_internal#0)=16', stamp='src.internal(s_internal#0)=1305303121', processed='destination(d_log_juniper)=2246', processed='destination(d_arcsight_ciscoacs)=438', processed='destination(d_snarefile)=1121851', processed='destination(d_arcsight_unix)=393237', processed='destination(d_bootlog)=222057', processed='destination(d_messages)=3611829', processed='global(payload_reallocs)=33', processed='destination(d_arcsight_proxysg)=3659', processed='destination(d_cron)=109', dropped='dst.tcp(d_syslog1#0,10.29.76.97:8514)=0', processed='dst.tcp(d_syslog1#0,10.29.76.97:8514)=96361', stored='dst.tcp(d_syslog1#0,10.29.76.97:8514)=0', processed='destination(d_arcsight_asafile)=458816', processed='destination(d_arcsight_netscreen_fwvpnfile)=385498', processed='destination(d_maillog)=5', processed='destination(d_console)=0', processed='source(s_net)=3515468', processed='global(sdata_updates)=0', processed='destination(d_splunk_osiris)=2708', processed='destination(d_arcsight_ciscofwsmfile)=483202', processed='source(s_local)=96475', processed='source(s_internal)=16', processed='destination(d_arcsight_ironport)=136042', processed='center(queued)=0', processed='destination(d_syslognglog)=16', processed='destination(d_junk_file)=247985', processed='destination(d_splunk_snare)=1139637', processed='destination(d_arcsight_amp)=0', processed='global(msg_clones)=0', processed='center(received)=0'

I want to extract the various d_* destinations and their values. I have a regex in transforms.conf that matches, but only extracts the first destination (here, d_splunk_unix=226159). I see that REPEAT_MATCH exists, but only applies to index-time field extractions.

Is there a transforms.conf analog of, say, rex max_match=100 for search-time extractions?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎05-16-2011 09:03 AM

Yes. For search-time, use:

MV_ADD = True

View solution in original post

Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎05-16-2011 09:03 AM

Yes. For search-time, use:

MV_ADD = True
Reply
Solved! Jump to solution

pehlke
Splunk Employee
Splunk Employee
‎05-16-2011 09:06 AM

Ah, perfect. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...