Solved: Field extraction on post multikv field?

Simon_Shelston · ‎04-20-2010

Is it possible to create a field extraction on a field that only exists after piping through multikv?

In other words, can I persist this:

index="os" sourcetype="netstat" | multikv | rex field=LocalAddress "(?<port>\d{5})$"

Simon_Shelston · ‎04-20-2010

No, Splunk will not extract fields that are only present post multikv. This extraction will need to be based on the _raw field.

View solution in original post

Simon_Shelston · ‎04-20-2010

No, Splunk will not extract fields that are only present post multikv. This extraction will need to be based on the _raw field.

gkanapathy · ‎04-21-2010

okay, i just edited it and saw the tag was htmlized away. so that should work as is. just can't make it auto whatever.

gkanapathy · ‎04-21-2010

Well, to clarify, it will do almost just as you've set up above (though you're missing a field name for the extraction), it just can't be set up as an automatic extraction.

Field extraction on post multikv field?

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud