topic How can I use props and transforms to extract multiline muntivalue event? in Splunk Search

How can I use props and transforms to extract multiline muntivalue event?

nareshinsvu — Tue, 07 Feb 2023 21:25:27 GMT

Hi experts there,

Trying to extract multivalue output from a multiline json field through props and transforms. How best can I achieve for the below sample data (for my_mvdata field) ?

I can write a regex in pros.conf with \\t delimiter. But only getting the first line. How to use multi add and do it through transforms?

{ something: false somethingelse: true blah: blah: my_mvdata: server1 count1 country1 code1 message1 server2 count1 country1 code1 message2 server3 count1 country1 code1 message3 server4 count1 country1 code1 message4 blah: blah: }

Re: props and transforms to extract multiline muntivalue event

gcusello — Tue, 07 Feb 2023 07:33:30 GMT

Hi @nareshinsvu,

this seems to be a json format, so use on your props.conf:

INDEXED_EXTRACTIONS = JSON

remember that only for this parameter, it's mandatory to put the props.conf both on Universal Forwarders, Indexers and Search Heads.

Ciao.

Giuseppe

Re: props and transforms to extract multiline muntivalue event

nareshinsvu — Tue, 07 Feb 2023 07:48:41 GMT

Sure @gcusello , and what else should I put in the conf files to extract that fields as multivalued

Re: props and transforms to extract multiline muntivalue event

gcusello — Tue, 07 Feb 2023 07:59:13 GMT

Hi @nareshinsvu,

the above option is useful to extract all the fields as multivalue.

in addition you should add also

SHOULD_LINEMERGE = true

but in my opinion, the best approach is:

take a sample of your logs in a file,
ingest it using the GUI guided procedure to choose the correct sourcetype,
copy the found sourcetype in all the systems interested to this ingestion.

Ciao.

Giuseppe