Splunk Search

Can you help me add a multvalue field extracting search to props?

Splunk_rocks
Path Finder

Hello Splunkers,

I have the below search working fine and extracting fields so how can i add to props file to make it permanent.

index=** sourcetype=logxx
| makemv delim="," rname

Tags (2)

harsmarvania57
SplunkTrust
SplunkTrust

Hi @Splunk_rocks,

You can create fields.conf with below configuration.

[yourfield]
TOKENIZER = ([^\,]+)\,?
0 Karma

Splunk_rocks
Path Finder

I have not tried but looks like this one also i need

| makemv delim="|" name

0 Karma

Splunk_rocks
Path Finder

I have tried below things in fields.conf but it did not worked

[myfield]
TOKENIZER = ([^|]+)|?
OR

[myfield ]
TOKENIZER = ([^\x7c]+)

[workstations]
TOKENIZER = ([^\,]+)\,?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!