How to setup multivalued fields?

achitan — Mon, 28 Sep 2020 18:45:53 GMT

Hi guys,
I have a problem for which I've seen lots of answers but none worked for me. I have to say that I am a beginner in regex'es so maybe that's the problem. Nevertheless, I have made some tries that should have at least give me multiple values in the same event for a certain field, but it didn't, acting a little weird from my point of view. Having said that, I know my problem is quite simple and sorry for bothering you with this, but I need an example to get me going. So here's the situation:

I have an ASCII file containing events separated by \n. The events look like this:

Time=[1/7/12 01:00:00],Efficiency=1,Fill=2772,Run=206194,MeanLB=59,MeanInt=3,BusySource=[CTP(LUCID),Pixel ,SCT,TRT,L1Calo,BCM,LAr H/F,LAr EMEC,LAr EMB,MDT B,MDT EC,Tile EB,Tile LB,CSC,TGC,RPC,MUCTPI]

Time=[1/7/12 11:00:00],Efficiency=0,Fill=2788,Run=0,MeanLB=0,MeanInt=0,BusySource=[0]

What I want to do is make a multivalued field called busy_item for which every item in BusySource is a value for the field. So that means that the busy_item field will have multiple values coming from each event or 0.

I tried to do this by creating a new field extraction for which I would insert its regex rule. I tried lots of regex'es and none worked as I expected. The last one I tried is

(?:BusySource=[,\[]+)(?P\w+[\(\w\)]*)(?:[,\]])

which reads the 0s in [0] and just the first item in the multivalued BusySource. Even if I put a more general regex, it still just takes only one value per event. But I just started using regex'es.

Another method I used was the TOKENIZER in fields.conf. I've followed the example there and made (it was none) a fields.conf in etc/local or in etc/myapp/local but nothing happened. I guess there are much more editing to do before you can see that field in your app (like in the other conf files).

So, how do I extract the busy_item field?

Thank you very much,
Adrian

Re: How to setup multivalued fields?

echalex — Mon, 28 Sep 2020 18:45:56 GMT

Hi achitan,

I guess that you already have BusySource as a field, because of the equals sign. So basically what you need to do is to copy BusySource to busy_item, drop the angle brackets and make busy_item a multivalued fields separated by commas.

<your search here> | rex field=BusySource "\[(?P<busy_item>[^\]]*)\]" |makemv delim="," busy_item

Does this do what you want?

Re: How to setup multivalued fields?

achitan — Sun, 01 Feb 2015 11:03:07 GMT

echalex, that was perfect! Thank you very very much!

Re: How to setup multivalued fields?

echalex — Sun, 01 Feb 2015 11:31:46 GMT

You're welcome! I'm glad if my answer was helpful.

topic Re: How to setup multivalued fields? in Splunk Search

How to setup multivalued fields?

Re: How to setup multivalued fields?

Re: How to setup multivalued fields?

Re: How to setup multivalued fields?