I have events that are being ingested in JSON format. Two of the fields are comma separated lists of MAC and IPv4 addresses. I would like to convert those fields to multivalue fields at index time.
Example input event:
{"foo": "bar", "host_ip": "122.33.44.120,85.30.248.114,64.4.28.230", "baz": "biz", "mac": "11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6", "oof": "rab"}
Example SPL query:
index="foo" sourcetype=mymultivaluesourcetype | table mac
Desired Output:
| mac |
| 11:22:33:44:55:66 |
| AA:BB:CC:DD:EE:FF |
| A1:A2:A3:A4:A5:A6 |
Actual Output:
| mac |
| 11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6 |
props.conf:
[mymultivaluesourcetype]
REPORT-mv_host_ip = mvhostip
REPORT-mv_mac = mvmac
transforms.conf:
[mvhostip]
SOURCE_KEY = field:host_ip
REGEX = (?<host_ip>\d+\.\d+\.\d+\.\d+)
FORMAT = host_ip::$1
MV_ADD = true
REPEAT_MATCH = true
[mvmac]
SOURCE_KEY = field:mac
REGEX = (?<mac>\w+\:\w+\:\w+\:\w+\:\w+\w+\:\w+)
FORMAT = mac::$1
MV_ADD = true
REPEAT_MATCH = true
