Solved: Re: multiple field occurrences

drodman29 · ‎06-13-2014

I have HTTP logs of the general format:
POST /search.do?sources=Name1&sources=name2&sources=name3&sources=name4

I'm looking for a good way to do stats/pie charts on the sources, but I only get the first value of the field with the default extractors. Suggestions?

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

View solution in original post

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

drodman29 · ‎06-15-2014

One small change on the regex sources=(?[^(&|\?)]+)

edschembor · ‎06-13-2014

Use regex: http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/AboutSplunkregularexpressions

multiple field occurrences

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation