Splunk Search

How do i specify a multivalue field when I’m outputting key/value pairs?

splunkIT
Splunk Employee
Splunk Employee

So let's say i want an event
field1=blah field2=blah field3=blah,blah2,blah3

and i want field 3 to be extracted at a multivalue field without any extra config? Do i need to do something special? Is there some special way to output this to where splunk will extract it as a multivalue without any extra config? commas definitely don’t work, also field3=blah field3=blah2 also don’t work

Flynt
Splunk Employee
Splunk Employee

If you want to do this at search time -

Use makemv to make the field a multivalue field

|stats count|fields - count|eval field1="blah"|eval field2="blah" |eval field3="blah,blah2,blah3"|table *|makemv field3 delim=","

This will give you -

field1  field2   field3
blah    blah     blah
                   blah2
                   blah3

In your Splunk results. Note that we tell it what delim to use.

splunkIT
Splunk Employee
Splunk Employee

I need to know how to have splunk AUTOMATICALLY extract multivalues from the format specified. Or is this not possible?

0 Karma

somesoni2
Revered Legend

Splunk can not automatically extract multivalued field from the format in question. Values are delimited by comma (for field3) which can be a valid character in the value. The only option is to handle it during search-time (this answer by @Flynt OR using props/transforms config files.

RicoSuave
Builder

You can use this in your search: http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/mvexpand

Or configure props.conf with:

KV_MODE = multi

splunkIT
Splunk Employee
Splunk Employee

MV_ADD might also work as well:
http://answers.splunk.com/answers/109827/multiple-key-value-pairs-during-search.html

http://docs.splunk.com/Documentation/Splunk/latest/admin/Transformsconf

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
already exists.
* If set to true, the extractor makes the field a multivalued field and
appends the newly found value, otherwise the newly found value is
discarded.
* Defaults to false

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!