How to extract more than one value out of a field...

gregbo · ‎05-08-2017

I'm using props.conf and transforms.conf to extract fields with delimiters, some of which are multi-valued. Example:

in transforms.conf:
BHT_Fields]
DELIMS = '*'
FIELDS = BHT_1,BHT_2,BHT_3,BHT_4,BHT_5,BHT_6
SOURCE_KEY = BHT

The following data extracts to:
BHT*0006*12*119283254-20254*20170728*102604*18
BHT_1 = 0006
BHT_2 = 12
...etc.

But for another field:
[DMG_Fields]
DELIMS = '*'
FIELDS = DMG_1,DMG_2,DMG_3
SOURCE_KEY = DMG

This field has multiple values:
DMG*D8*19820811*M
DMG*D8*19610130*U

It extracts to:
DMG_1 = D8
DMG_2 = 19820811
DMG_3 = M D8

...and that's it. It grabs the beginning of the second row (into the last field of the first row), then doesn't grab anything else.

I've got MV_ADD = true in transforms.conf
How do I get splunk to extract that second row?

somesoni2 · ‎05-08-2017

Try changing your transforms.conf entry like this

[DMG_Fields]
REGEX = DMG\*([^\*]+)\*([^\*]+)\*([^\*]+)
FORMAT = DMG_1::$1 DMG_2::$2 DMG_3::$3
SOURCE_KEY = DMG
MV_ADD = true

gregbo · ‎05-09-2017

I tried your suggestion, but it returned nothing.

How to extract more than one value out of a field extraction using delimiters