EXTRACT repeatable values from 1 event

sadon · ‎08-18-2012

I have an event in follow format:

param_c="%s"
param_b="%d"
param_c="intrested data"
param_b="1200"

When in insert
KV_MODE=MULTI into props.conf
i have get:

FIELD: PARAM_C___C
VALUE: PARAM_C="intersted data"

KV_MODE=auto:

PARAM_C="%C"

How i can get my "intrested" data in search-time index?

sadon · ‎08-18-2012

Oh! great!
sed is a very usefull command

I add to sourcetype in props.conf

SEDCMD = s/PARAM_.*="%.*"//g

and template values has been deleted!

Are you a member of the Splunk Community?