Problems with adding multi-value field through /var/spool/splunk

orpiczy — Fri, 06 Jun 2025 08:04:11 GMT

Hi Fellow Splunkers,
How can I add multi-value field (array) directly to the index through `/var/spool/splunk`.
I tried multiple approaches:

1. Dict
==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==
{ "array_field":["1", "2"], "count": "2", ... }

2. Classic
==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==
... , array_field=["1", "2"], count="2", ...

I achieved best results with Dict approach. Added field correctly has multiple values, however ... to key ("array_field") splunk adds {}, resulting in incorrect key ("array_field{}")

Do you have any suggestions?

Re: Problems with adding multi-value field through /var/spool/splunk

yuanliu — Thu, 05 Jun 2025 15:17:17 GMT

You will need some compromise one way or another. Any specific reason why array_field{} is unacceptable? If anything, you can use field alias to allow use of array_field. Alternatively you can use calculated field to alter a key-value entry ("classic"), e.g., comma_delimited_field="1,2", then use split to calculate array_field.

topic Re: Problems with adding multi-value field through /var/spool/splunk in Splunk Search

Problems with adding multi-value field through /var/spool/splunk

Re: Problems with adding multi-value field through /var/spool/splunk