Solved: Is it possible to extract a multivalue field from ...

tmarlette · ‎06-08-2016

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?

For example:
I have a series of data

ANSWER SECTION:
    Offset = 0x0016, RR count = 0
    Name      ".T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
      DATA   10.10.10.2
    Offset = 0x0028, RR count = 1
    Name      "[C016].T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
          DATA   10.10.10.1

Which is called 'answer_section'. Is there some way to make this happen?

In fields.conf

    [answer]
    TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer

Similar to the way you can in props.conf?

EXTRACT-myField = <myRegex> in source

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

View solution in original post

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...