Solved: Is it possible to extract a multivalue field from ...

tmarlette · ‎06-08-2016

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?

For example:
I have a series of data

ANSWER SECTION:
    Offset = 0x0016, RR count = 0
    Name      ".T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
      DATA   10.10.10.2
    Offset = 0x0028, RR count = 1
    Name      "[C016].T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
          DATA   10.10.10.1

Which is called 'answer_section'. Is there some way to make this happen?

In fields.conf

    [answer]
    TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer

Similar to the way you can in props.conf?

EXTRACT-myField = <myRegex> in source

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

View solution in original post

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)