Solved: Re: Field extraction on post multikv field?

Simon_Shelston · ‎04-20-2010

Is it possible to create a field extraction on a field that only exists after piping through multikv?

In other words, can I persist this:

index="os" sourcetype="netstat" | multikv | rex field=LocalAddress "(?<port>\d{5})$"

Simon_Shelston · ‎04-20-2010

No, Splunk will not extract fields that are only present post multikv. This extraction will need to be based on the _raw field.

View solution in original post

Simon_Shelston · ‎04-20-2010

No, Splunk will not extract fields that are only present post multikv. This extraction will need to be based on the _raw field.

gkanapathy · ‎04-21-2010

okay, i just edited it and saw the tag was htmlized away. so that should work as is. just can't make it auto whatever.

gkanapathy · ‎04-21-2010

Well, to clarify, it will do almost just as you've set up above (though you're missing a field name for the extraction), it just can't be set up as an automatic extraction.

Field extraction on post multikv field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation