I have HTTP logs of the general format:
POST /search.do?sources=Name1&sources=name2&sources=name3&sources=name4
I'm looking for a good way to do stats/pie charts on the sources, but I only get the first value of the field with the default extractors. Suggestions?
Put this in your props.conf and transforms.conf
props.conf
[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc
transforms.conf
[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true
Restart/refresh splunk instance after applying the change.
Put this in your props.conf and transforms.conf
props.conf
[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc
transforms.conf
[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true
Restart/refresh splunk instance after applying the change.
One small change on the regex sources=(?