- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I automatically run mvexpand on a field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I run this search -
index=main | makemv PCIDSS delim=","
I'd like to be automatically expanded instead. But I don't see how I would do this in props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a multi-valued field extraction, you must use transforms.conf in conjunction with props.conf.
Since you are not showing us how you got the PCIDSS field to begin with, I can't show exactly how this should be set up. But in addition to any other field extractions you may have, you should do this in props.conf
[yoursourcetypehere]
#other field extractions
REPORT-ep = extract-PCIDSS
in transforms.conf
[extract-PCIDSS]
REGEX = <regular expression>
MV_ADD = true
# and other settings...
You should look at the documentation for transforms.conf. Depending on your actual data, there could be many ways to accomplish what you want. For example there is a way to Configure multivalue fields with fields.conf - although I have not done it that way myself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a multi-valued field extraction, you must use transforms.conf in conjunction with props.conf.
Since you are not showing us how you got the PCIDSS field to begin with, I can't show exactly how this should be set up. But in addition to any other field extractions you may have, you should do this in props.conf
[yoursourcetypehere]
#other field extractions
REPORT-ep = extract-PCIDSS
in transforms.conf
[extract-PCIDSS]
REGEX = <regular expression>
MV_ADD = true
# and other settings...
You should look at the documentation for transforms.conf. Depending on your actual data, there could be many ways to accomplish what you want. For example there is a way to Configure multivalue fields with fields.conf - although I have not done it that way myself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Anonymous
I guess I am not understanding why I would need to do a regex. I don't see how I specify the delimited here.
So it's probably worth mentioning that the field PCIDSS is just appended at search time for documentation purposes.
props.conf
EVAL-PCIDSS = "11.1.a,11.1.b,11.1.c,11.1.d,11.1.1,11.1.2.a,11.1.2.b"
I tried this a few ways
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
regex = .*
[extract-PCIDSS]
SOURCE_KEY = PCIDSS
MV_ADD = true
regex= PCIDSS=(?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good call on the fields.conf method, worked like a charm
[PCIDSS]
TOKENIZER = ([^\,]+)
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
