Solved: multiple field occurrences

drodman29 · ‎06-13-2014

I have HTTP logs of the general format:
POST /search.do?sources=Name1&sources=name2&sources=name3&sources=name4

I'm looking for a good way to do stats/pie charts on the sources, but I only get the first value of the field with the default extractors. Suggestions?

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

View solution in original post

somesoni2 · ‎06-13-2014

Put this in your props.conf and transforms.conf

props.conf

[YourSourcetype]
...
Other existing Settings
.....
REPORT-mv_sources = xf-mvsrc


transforms.conf

[xf-mvsrc]
REGEX = sources=(?<sources>[^&]+)
MV_ADD = true

Restart/refresh splunk instance after applying the change.

drodman29 · ‎06-15-2014

One small change on the regex sources=(?[^(&|\?)]+)

edschembor · ‎06-13-2014

Use regex: http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/AboutSplunkregularexpressions

multiple field occurrences

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation