Solved: Re: multiple field occurrences

drodman29 · ‎06-13-2014

I have HTTP logs of the general format:
POST /search.do?sources=Name1&sources=name2&sources=name3&sources=name4

I'm looking for a good way to do stats/pie charts on the sources, but I only get the first value of the field with the default extractors. Suggestions?

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

View solution in original post

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

drodman29 · ‎06-15-2014

One small change on the regex sources=(?[^(&|\?)]+)

edschembor · ‎06-13-2014

Use regex: http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/AboutSplunkregularexpressions

multiple field occurrences

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability