Solved: Is it possible to extract a multivalue field from ...

tmarlette · ‎06-08-2016

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?

For example:
I have a series of data

ANSWER SECTION:
    Offset = 0x0016, RR count = 0
    Name      ".T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
      DATA   10.10.10.2
    Offset = 0x0028, RR count = 1
    Name      "[C016].T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
          DATA   10.10.10.1

Which is called 'answer_section'. Is there some way to make this happen?

In fields.conf

    [answer]
    TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer

Similar to the way you can in props.conf?

EXTRACT-myField = <myRegex> in source

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

View solution in original post

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3