Splunk Search

Can you help me add a multvalue field extracting search to props?

Splunk_rocks
Path Finder

Hello Splunkers,

I have the below search working fine and extracting fields so how can i add to props file to make it permanent.

index=** sourcetype=logxx
| makemv delim="," rname

Tags (2)

harsmarvania57
SplunkTrust
SplunkTrust

Hi @Splunk_rocks,

You can create fields.conf with below configuration.

[yourfield]
TOKENIZER = ([^\,]+)\,?
0 Karma

Splunk_rocks
Path Finder

I have not tried but looks like this one also i need

| makemv delim="|" name

0 Karma

Splunk_rocks
Path Finder

I have tried below things in fields.conf but it did not worked

[myfield]
TOKENIZER = ([^|]+)|?
OR

[myfield ]
TOKENIZER = ([^\x7c]+)

[workstations]
TOKENIZER = ([^\,]+)\,?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>