Solved: Is it possible to extract a multivalue field from ...

tmarlette · ‎06-08-2016

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?

For example:
I have a series of data

ANSWER SECTION:
    Offset = 0x0016, RR count = 0
    Name      ".T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
      DATA   10.10.10.2
    Offset = 0x0028, RR count = 1
    Name      "[C016].T[C00E].co."
      TYPE   A  .
      CLASS  1
      TTL    1
      DLEN   4
          DATA   10.10.10.1

Which is called 'answer_section'. Is there some way to make this happen?

In fields.conf

    [answer]
    TOKENIZER = Name\s+\"(?<answer>[^\']+\' in answer

Similar to the way you can in props.conf?

EXTRACT-myField = <myRegex> in source

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

View solution in original post

tmarlette · ‎07-06-2016

The answer to this is no unfortunately. But you can work some magic with REGEX props and transforms to get this to work at search time.

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Accelerating Observability as Code with the Splunk AI Assistant

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Join the Conversation

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Accelerating Observability as Code with the Splunk AI Assistant

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...