Splunk Enterprise

How to convert string to multi-value using props.conf and transforms.conf.

pfabrizi
Path Finder

BluecoatSG,

we are trying to create a multivalued filed called "category" from field cs_categories=this;that

We are running 6.5.1
From the Splunk_TA_Bluecoat-proxysg app we thought this would work:
props.conf:
REPORT-categories = bluecoatkv_categories

Transforms.conf
[bluecoatkv_categories]
SOURCE_KEY = cs-categories
REGEX = regexpressin
FORMAT = category:
MV_ADD = true

But I think it should be something different.

Tags (1)
0 Karma

starcher
SplunkTrust
SplunkTrust

Using regex is overkill.
Use this in your sourcetype in props

EVAL-categories=split(cs_categories,”;”)

0 Karma

pfabrizi
Path Finder

is this a 7.0 method or will it work in 6.5.1?

Thanks!

0 Karma

somesoni2
Revered Legend
0 Karma

pfabrizi
Path Finder

Thank You!

0 Karma

somesoni2
Revered Legend
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!