Splunk Search

How to set up a multivalue field extraction of only unique values using Splunk-web>Fields>Calculated Fields?



I have the following inline extraction of a multivalue field and I would like to setup the same, but for transforms.conf?

... | rex field=_raw "The Error Number is (?< error_number> [0-9-]{5,5})" max match=0 | eval error_number=mvdedup(error_number)


This is what I have In Splunk-web>Fields>Field transformations:
Destination app = search
Regular expression = The Error Number is (?< error_number> [0-9-]{5,5})
source key = _raw
Create multivalued fields = checked

Splunk-web/Fields>Field extractions:
Destination app = search
Name = error_number
sourcetype = Job_Log
Type = Uses transformation
Extraction/Transform = ERROR_EXTRACTION

I tried these three eval expressions without success in Splunk>Fields>calculated fields:
Destination app = search
sourcetype = Job_Log
Name = error_number
1. Eval expression = eval error_number=mvdedup(error_number)
2. Eval expression = error_number=mvdedup(error_number)
3. eval expression = mvdedup(error_number)

Well I changed the function to len() in order to see if I was having the same problem with other eval function and I found that non multi-value function work correctly in Splunk-web.

eval expression = len(error_number)
" " = ln(error_number)

But these expression don't work:
" " = mvdedup(error_number)
" " = mvcount(error_number)

Well, I have a problem. I don't have admin privileges to modify those configuration files. Could you provided a solution using Splunk-webserver(not inline)?

I already created the multivalue field using Splunk-webserver>Fields> Field Extractions and Field Transformations, but every time I tried to add any of your answers in Calculated Fields I encountered an error.

Sorry, I know I should mentioned this from the beginning.

First you have to notice that, Advanced search-time field extractions use the REPORT extraction configuration in props.conf. Each REPORT extraction stanza references a field transform that is defined separately in transforms.conf. The field transform contains the regular expression that Splunk Enterprise uses to extract fields at search time, as well as other attributes that govern the way that the transform extracts those fields.

  1. Edit the props.conf file in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local.


REGEX=The Error Number is (?< error_number> [0-9-]{5,5})

Let suppose that your events sourcetype is My_sourcetype


REPORT-My_label = My_transform
Try this (on search head)

REPORT-foo = errornumber_mv
EVAL-error_number = mvdedup(error_number)

 SOURCE_KEY = _raw
 MV_ADD = true
 REGEX = The Error Number is (?<error_number> [0-9-]{5,5})