So let's say i want an event
field1=blah field2=blah field3=blah,blah2,blah3
and i want field 3 to be extracted at a multivalue field without any extra config? Do i need to do something special? Is there some special way to output this to where splunk will extract it as a multivalue without any extra config? commas definitely don’t work, also field3=blah field3=blah2 also don’t work
If you want to do this at search time -
Use makemv to make the field a multivalue field
|stats count|fields - count|eval field1="blah"|eval field2="blah" |eval field3="blah,blah2,blah3"|table *|makemv field3 delim=","
This will give you -
field1 field2 field3 blah blah blah blah2 blah3
In your Splunk results. Note that we tell it what delim to use.
Splunk can not automatically extract multivalued field from the format in question. Values are delimited by comma (for field3) which can be a valid character in the value. The only option is to handle it during search-time (this answer by @Flynt OR using props/transforms config files.
MV_ADD might also work as well:
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which
* If set to true, the extractor makes the field a multivalued field and
appends the newly found value, otherwise the newly found value is
* Defaults to false