Getting Data In
Highlighted

Multivalue delimited field extraction using SPLUNK Web

Communicator

In my logs I'm expecting to see groups with multivalues delimited by %257. for example in my logs im expecting to see
&group=Group1%257Group2%257Group3%257Group4&

I've created a field extraction for GroupsMV using the regular expression group=(?[^&]*). This part seems to work when i run the query (i get the expected results):

group=*|stats count by GroupsMV

The next, i tried to setup a field transformation "(?[^%]+)(?:[%257])*" and have selected the checkbox " Create multivalued fields".

When i try to run the query bewloe, i get no results.

group=*|stats count by site_Group

Please assist. What should i do to extract the multiple values for the parameter group?

I've gone through these document and with the second article, I don't understand where "TOKENIZER" comes into play using SPLUNK web. Do i need to apply TOKENIZER? If so, how do i do it using SPLUNK Web?

http://docs.splunk.com/Documentation/Splunk/6.0.4/Knowledge/Managefieldtransforms
https://answers.splunk.com/answers/84589/multivalue-delimited-field-extraction.html

0 Karma
Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

SplunkTrust
SplunkTrust

When you create an extraction called site_Group then your root search of group=* is no longer valid... Right?

You can look at the job inspector (magnifying glass) that appears when the job completes. It will show how many events go into a command and how many come out of the command. That might help you.

0 Karma
Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

Communicator

@jkat54, no that doesn't sound right, when i created the field extraction, as well as field transformation, the root search for group=* still works. I can still run these two:

  1. group=*|stats count by GroupsMV
  2. group=*|stats count by group
0 Karma
Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

Communicator

Does anyone know if defining a Tokenizer is available in SPLUNK Web? as noted in this doc?
http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

[]
TOKENIZER =

0 Karma
Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

SplunkTrust
SplunkTrust

In short, when you create the multivalued extractions via splunk web, tokenizer is not available.

Your only option i know of are the mv commands... makemv, mvextract, mvexpand, etc.

If you're using splunk cloud, the only way i know to create the fields.conf file is to create your own app, have splunk approve of it for the cloud offering (become a splunk developer), etc.

Maybe you can hit your splunk cloud rest api and create a fields.conf that way, never tried. If you're using splunk enterprise it should be rather simple. If you want better help, please let us know what version of splunk you are using... ent, cloud, trial, and the version number.

View solution in original post

Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

Communicator

I'm currently using an onpremise solution with only access to SPLUNK web. Thank you for confirming its not available in SPLUNK web. I'll connect with my admin to make the necessary update to run TOKENIZE. Hopefully one day this will be available in SPLUNK web before SPLUNK 10 😛

0 Karma
Highlighted

Re: Multivalue delimited field extraction using SPLUNK Web

SplunkTrust
SplunkTrust

Thanks for marking as the solution. Let us know if anything else comes up.

0 Karma