https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383926#M112127 <P>I'm guessing I also need to use the DELIMS key in my transforms? </P> Tue, 13 Nov 2018 15:45:18 GMT zanb 2018-11-13T15:45:18Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383925#M112126 <P>Hey everyone! </P> <P>I'm looking at extracting multi-value fields that contain multiple MAC addresses within a field. I know I can create and manipulated multi-value fields at search time, but I'd like to separate some of this data during ingestion. I've read through the transforms.conf and props.conf manual pages, but the language on transforming data into a multi-value field isn't very clear to me.</P> <P>For instance, I'm having trouble understanding what the "::$1" characters denote when using the "FORMAT" key in my transforms.conf file. I know it has to do with RegEx capture groups, but I'm just having a hard time relating how data is extracted and stored via a conf file, as I'm more used to using RegEx on the command line with grep.</P> <P>Would someone kindly help me with an example of how I would extract MAC addresses as a multi-value field? It would really help me bridge the gap of understanding for me, as it's been hard to find concrete examples of how to do this online.</P> <P>In the CSV file, the "MAC_address" field has the data encapsulated in quotes like this: "ad:00:12:af:21:31, 00:fd:aa:23:d1:a5, {so on}". So I'm thinking my conf files need to look something like this:</P> <P>props.conf</P> <PRE><CODE>#sourcetype [mac_addy] TRANSFORMS-mv_macaddress = mv_macaddress </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[mv_macaddress] SOURCE_KEY=MAC_Address REGEX=(([0-9A-F]{2}[:-]){5}([0-9A-F]{2})[,]+) FORMAT=mv_macaddress::$1 MV_ADD=true </CODE></PRE> <P>Would someone please confirm that I'm on the right path or point out any problems with my configuration?</P> <P>I also have fields in the CSV file that have multiple iterations of the same string (a URL), and I would like to deduplicate them so that random entries don't take up 2 page lengths of a webpage. Almost all of my Google searches for "Splunk deduplicate" point me to results about the search-time command "dedup" or how to use CRCsalt on my index to prevent duplicate whole entries. </P> <P>Is there any way I can define a string for a field and have Splunk drop or concatenate that field into one line so I don't have dozens (literally dozens of them!) of iterations of "<A href="https://icanhas.cheezburger.com/">https://icanhas.cheezburger.com/</A> <A href="https://icanhas.cheezburger.com/">https://icanhas.cheezburger.com/</A> <A href="https://icanhas.cheezburger.com/">https://icanhas.cheezburger.com/</A> <A href="https://icanhas.cheezburger.com/">https://icanhas.cheezburger.com/</A>".</P> <P>I appreciate your help. Thank you!</P> Tue, 13 Nov 2018 15:16:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383925#M112126 zanb 2018-11-13T15:16:44Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383926#M112127 <P>I'm guessing I also need to use the DELIMS key in my transforms? </P> Tue, 13 Nov 2018 15:45:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383926#M112127 zanb 2018-11-13T15:45:18Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383927#M112128 <P>You don't need <CODE>DELIMS</CODE> when you have <CODE>REGEX</CODE>.</P> <P>I think you need to change the <CODE>REGEX</CODE> line to <CODE>REGEX=(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})[,]?)</CODE>.</P> Thu, 22 Nov 2018 14:15:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383927#M112128 richgalloway 2018-11-22T14:15:02Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383928#M112129 <P>Missed it by &gt;that&lt; much; just change to this:</P> <PRE><CODE>REGEX=(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})) </CODE></PRE> Thu, 22 Nov 2018 17:31:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383928#M112129 woodcock 2018-11-22T17:31:24Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383929#M112130 <P>Did this work, @zanb? Be sure to come back and comment or click <CODE>Accept</CODE>.</P> Mon, 26 Nov 2018 21:25:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383929#M112130 woodcock 2018-11-26T21:25:57Z https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383930#M112131 <P>Thanks for your help!</P> Mon, 26 Nov 2018 21:31:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-extract-multi-value-fields-at-ingestion-deduplicate/m-p/383930#M112131 zanb 2018-11-26T21:31:05Z