Solved: Is it possible to extract a multivalue field from ...

tmarlette · ‎06-08-2016

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?

For example:
I have a series of data

ANSWER SECTION:
    Offset = 0x0016, RR count = 0
    Name      ".T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
      DATA   10.10.10.2
    Offset = 0x0028, RR count = 1
    Name      "[C016].T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
          DATA   10.10.10.1

Which is called 'answer_section'. Is there some way to make this happen?

In fields.conf

    [answer]
    TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer

Similar to the way you can in props.conf?

EXTRACT-myField = <myRegex> in source

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

View solution in original post

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console