Is it possible to create a field extraction on a field that only exists after piping through multikv?
In other words, can I persist this:
index="os" sourcetype="netstat" | multikv | rex field=LocalAddress "(?<port>\d{5})$"
No, Splunk will not extract fields that are only present post multikv. This extraction will need to be based on the _raw field.
View solution in original post
okay, i just edited it and saw the tag was htmlized away. so that should work as is. just can't make it auto whatever.
Well, to clarify, it will do almost just as you've set up above (though you're missing a field name for the extraction), it just can't be set up as an automatic extraction.
