topic Re: multivalue fields and fields.conf in Splunk Search

multivalue fields and fields.conf

Ron_Naken — Mon, 02 Aug 2010 02:47:25 GMT

With the following data: mac_addr=01-02-03-04-05-06, 01-02-03-04-05-07, 01-02-03-04-05-08

Using this search will properly yield all the unique values of mac_addr:

* | makemv delim=", " mac_addr

Setting fields.conf as follows:

[mac_addr]
INDEXED = false
INDEXED_VALUE = false

While using a TOKENIZER of ([^,]\*) doesn't change the behavior of a basic search, like "*".

What should be defined in the conf files, so that any search will yield the multivalue elements of the field, as if makemv had been specified, without having to specify makemv? Using a search macro or eventtype is an undesired alternative.

Thanks!

Re: multivalue fields and fields.conf

araitz — Mon, 02 Aug 2010 10:35:09 GMT

Try just specifying the following:

[mac_addr]
TOKENIZER=([^\,]+)

I would also recommend making mac_addr Common-Information-Model compliant.

Re: multivalue fields and fields.conf

gkanapathy — Tue, 03 Aug 2010 01:13:23 GMT

I might try:

TOKENIZER = ([^,]*)(,\s*)?

But that's a guess. You can also try a search-time extraction instead:

[mysourcetype]
REPORT-mac = mac_addr,mac_addr_mv

[mac_addr]
#whatever you need to extract mac_addr_list, something like:
REGEX = mac_addr=(?<mac_addr>.*?)\s*(?=$|,\w+=)

[mac_addr_mv]
SOURCE_KEY = mac_addr
REGEX = (?<mac_addr_mv>[^,]*)(,\s*)?
MV_ADD = true

The key of course is to ensure that the list extraction happens before the mv extraction (so listing them sequentially in the same REPORT clause guarantees that). I am not sure of the relative order of extractions for KV_MODE=auto, EXTRACT, and REPORT rules in props.conf, but I think that it occurs in that very order, so that might work if mac_addr were extracted by KV_MODE or EXTRACT rules.

Re: multivalue fields and fields.conf

Ron_Naken — Wed, 09 Feb 2011 18:10:02 GMT

Tokenizer didn't seem to work as expected. The search-time extraction worked like a charm.

Re: multivalue fields and fields.conf

blurblebot — Mon, 25 Apr 2011 21:59:09 GMT

ron, which tokenizer suggestion didn't work, araitz's or gkanapathy's? Or both?

Re: multivalue fields and fields.conf

ehoward — Mon, 25 Jul 2011 19:49:45 GMT

Can someone expand on how to get the tokenizer working in this example?

Re: multivalue fields and fields.conf

jpass — Wed, 20 Feb 2013 20:41:05 GMT

There's two answers here. Which one worked?