Reputation: 11
Splunk: Extracting multiple fields with the same name
I am using Splunk to index logs with multiple fields with the same name. All fields have the same meaning: 2012-02-22 13:10:00,ip=127.0.0.1,[email protected],[email protected]
In the automatic extraction for this event, I only get "[email protected]" extracted for the "to" field. How can I make sure all the values are extracted?
Thanks!
Upvotes: 1
Views: 4219
Answers (1)
Reputation: 21
I think adding this to the end of the search this may do it:
| extract pairdelim="," kvdelim="=" mv_add=t | table to
(the 'table' is just for demonstration).
So, I think, in 'transforms.conf' (from http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf) put:
[my-to-extraction]
DELIMS = ",", "="
MV_ADD = true
and reference it in 'props.conf':
[eventtype::my_custom_eventtype]
REPORT-to = my-to-extraction
where 'eventtype::my_custom_eventtype' could be anything that works as a 'props.conf' specification (<spec> in http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf).
Upvotes: 2
Related Questions
- Multifields search in Splunk without knowing field names
- Extract data from splunk
- splunk query to extract multiple fields from single field
- Extracting multi values with regex ( Only values, don't need Fieldname )
- How to modify regular expressions so that it extracts same fields of both fields?
- Splunk field extractions from different events & delimiters
- Splunk: How to extract field directly in Search command using regular expressions?
- Splunk - regex extract fields from source
- Splunk: combine fields from multiple lines
- Extracting certain fields from Splunk query results