Convert CSV valued JSON field to multivalued field...

wstrellis · ‎01-22-2021

I have events that are being ingested in JSON format. Two of the fields are comma separated lists of MAC and IPv4 addresses. I would like to convert those fields to multivalue fields at index time.

Example input event:

{"foo": "bar", "host_ip": "122.33.44.120,85.30.248.114,64.4.28.230", "baz": "biz", "mac": "11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6", "oof": "rab"}

Example SPL query:

index="foo" sourcetype=mymultivaluesourcetype | table mac

Desired Output:

mac

11:22:33:44:55:66

AA:BB:CC:DD:EE:FF

A1:A2:A3:A4:A5:A6

Actual Output:

mac

11:22:33:44:55:66,AA:BB:CC:DD:EE:FF,A1:A2:A3:A4:A5:A6

props.conf:

[mymultivaluesourcetype]

REPORT-mv_host_ip = mvhostip

REPORT-mv_mac = mvmac

transforms.conf:

[mvhostip]
SOURCE_KEY = field:host_ip
REGEX = (?<host_ip>\d+\.\d+\.\d+\.\d+)
FORMAT = host_ip::$1
MV_ADD = true
REPEAT_MATCH = true

[mvmac]
SOURCE_KEY = field:mac
REGEX = (?<mac>\w+\:\w+\:\w+\:\w+\:\w+\w+\:\w+)
FORMAT = mac::$1
MV_ADD = true
REPEAT_MATCH = true

wstrellis · ‎01-22-2021

My SPL query should actually be:

index="foo" sourcetype=mymultivaluesourcetype | mvexpand mac | table mac

Convert CSV valued JSON field to multivalued field at index time

CSV

JSON

props.conf

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation