All,
I run this search -
index=main | makemv PCIDSS delim=","
I'd like to be automatically expanded instead. But I don't see how I would do this in props.conf
For a multi-valued field extraction, you must use transforms.conf in conjunction with props.conf.
Since you are not showing us how you got the PCIDSS field to begin with, I can't show exactly how this should be set up. But in addition to any other field extractions you may have, you should do this in props.conf
[yoursourcetypehere]
#other field extractions
REPORT-ep = extract-PCIDSS
in transforms.conf
[extract-PCIDSS]
REGEX = <regular expression>
MV_ADD = true
# and other settings...
You should look at the documentation for transforms.conf. Depending on your actual data, there could be many ways to accomplish what you want. For example there is a way to Configure multivalue fields with fields.conf - although I have not done it that way myself.
For a multi-valued field extraction, you must use transforms.conf in conjunction with props.conf.
Since you are not showing us how you got the PCIDSS field to begin with, I can't show exactly how this should be set up. But in addition to any other field extractions you may have, you should do this in props.conf
[yoursourcetypehere]
#other field extractions
REPORT-ep = extract-PCIDSS
in transforms.conf
[extract-PCIDSS]
REGEX = <regular expression>
MV_ADD = true
# and other settings...
You should look at the documentation for transforms.conf. Depending on your actual data, there could be many ways to accomplish what you want. For example there is a way to Configure multivalue fields with fields.conf - although I have not done it that way myself.
Thanks @Anonymous
I guess I am not understanding why I would need to do a regex. I don't see how I specify the delimited here.
So it's probably worth mentioning that the field PCIDSS is just appended at search time for documentation purposes.
props.conf
EVAL-PCIDSS = "11.1.a,11.1.b,11.1.c,11.1.d,11.1.1,11.1.2.a,11.1.2.b"
I tried this a few ways
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
regex = .*
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
regex= PCIDSS=(?
Good call on the fields.conf method, worked like a charm
[PCIDSS]
TOKENIZER = ([^\,]+)