Re: Help with mv_add and field extractions in tran...

gelica · ‎07-02-2013

Hi,

I'm using props.conf and transforms.conf to extract my fields but I have some issues with MV_ADD.
My data looks like:

-----
Event1
-----
field1: number1
field2: somehing
field1: number2
-----
Event2
-----
field1: number3

It is possible that different kinds of events have the same field(field1 above) but I want to separate them, and name them like event1_field1, event2_field1.

When I use this regex, the field gets the different values:

REGEX=(?im)field1: (?<field1_value>[[^\r\n]+])
MV_ADD=true

but since I want to separate the fields I tried this, but then I only get the first value of field1..

REGEX=(?im)-{2,}[\r\n]+(Event1)[\r\n.]+-{2,}([^-]+?-?)+?field1: (?<field1_value>[[^\r\n]+])
MV_ADD=true

Can anybody please point me in the right direction?
Thanks

woodcock · ‎06-19-2015

Like this:

REGEX=(?im)-{2,}[\r\n]+(Event1)[\r\n.]+-{2,}([^-]+?-?)+?field1: ([[^\r\n]+])
MV_ADD=true
FORMAT $1$2::$3

Help with mv_add and field extractions in transforms.conf

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability