Splunk Search

How to set up a multivalue field extraction of only unique values using Splunk-web>Fields>Calculated Fields?

edrivera3
Builder

Hi

I have the following inline extraction of a multivalue field and I would like to setup the same, but for transforms.conf?

... | rex field=_raw "The Error Number is (?< error_number> [0-9-]{5,5})" max match=0 | eval error_number=mvdedup(error_number)

edrivera3
Builder

This is what I have In Splunk-web>Fields>Field transformations:
Destination app = search
Name = ERROR_EXTRACTION
Regular expression = The Error Number is (?< error_number> [0-9-]{5,5})
source key = _raw
Create multivalued fields = checked

Splunk-web/Fields>Field extractions:
Destination app = search
Name = error_number
sourcetype = Job_Log
Type = Uses transformation
Extraction/Transform = ERROR_EXTRACTION

I tried these three eval expressions without success in Splunk>Fields>calculated fields:
Destination app = search
sourcetype = Job_Log
Name = error_number
1. Eval expression = eval error_number=mvdedup(error_number)
2. Eval expression = error_number=mvdedup(error_number)
3. eval expression = mvdedup(error_number)

0 Karma

edrivera3
Builder

Well I changed the function to len() in order to see if I was having the same problem with other eval function and I found that non multi-value function work correctly in Splunk-web.

eval expression = len(error_number)
" " = ln(error_number)

But these expression don't work:
" " = mvdedup(error_number)
" " = mvcount(error_number)

0 Karma

edrivera3
Builder

Well, I have a problem. I don't have admin privileges to modify those configuration files. Could you provided a solution using Splunk-webserver(not inline)?

I already created the multivalue field using Splunk-webserver>Fields> Field Extractions and Field Transformations, but every time I tried to add any of your answers in Calculated Fields I encountered an error.

Sorry, I know I should mentioned this from the beginning.

0 Karma

stephanefotso
Motivator

Hello!
First you have to notice that, Advanced search-time field extractions use the REPORT extraction configuration in props.conf. Each REPORT extraction stanza references a field transform that is defined separately in transforms.conf. The field transform contains the regular expression that Splunk Enterprise uses to extract fields at search time, as well as other attributes that govern the way that the transform extracts those fields.

  1. Edit the props.conf file in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local.

transform.conf:

[My_transform]               
REGEX=The Error Number is (?< error_number> [0-9-]{5,5})

Let suppose that your events sourcetype is My_sourcetype

props.conf:

[My_sourcetype] 
REPORT-My_label = My_transform
KV_MODE=none
0 Karma

somesoni2
Revered Legend

Try this (on search head)

props.conf
[yoursourcetype]
..........
REPORT-foo = errornumber_mv
EVAL-error_number = mvdedup(error_number)

transforms.conf
 [errornumber_mv]
 SOURCE_KEY = _raw
 MV_ADD = true
 REGEX = The Error Number is (?<error_number> [0-9-]{5,5})