If I have data like this:
src=1.1.1.1 dst=2.2.2.2
can I create a mvfield of ip's? like:
ips=1.1.1.1,2.2.2.2
FROM SPLUNKWEB (and not the config files)?
Yes, you can.
Try something like this
<your search> | rex max_match=2 "(?:src|dst)=(?<ips>\d+\.\d+\.\d+\.\d+)"
You can increase max_match to a higher value if you more than just 2.
max_match
View solution in original post
If src and dst are already fields (they would be auto-extracted by default), you could do this:
src
dst
... | eval ips=src+","+dst" | eval ips=split(ips,",")
in 4.1+, or
... | eval ips=src+","+dst" | makemv ips delim=","
in earlier versions.
