I have events that whose fields like this:
Name=[name1,name2,name3]
Application=[app1,app2,app3]
Splunk is auto-extracting the fields into single values, like this:
Field
:Value
Name
:[name1,name2,name3]
Application
:[app1,app2,app3]
Hoping to get some help configuring props/transforms to extract these (and a bunch of other) fields as multi-value fields at search time. My understanding is that the auto-extraction happens /after/ both inline and transform extraction, so I'm not sure how I would accomplish this. Do I need to KV_MODE=none
and then do some kind of explicit extraction with each field?
Have a look at this method of extracting multivalued field from your data.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureSplunktoparsemulti-valuefields
Use this regex either in conf files or at search time:
<base_search>|rex mode=sed field=Value "s/\[(.*)]/\1/"|makemv Value delim=","|mvexpand Value
Have a look at this method of extracting multivalued field from your data.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureSplunktoparsemulti-valuefields
Thank you somesoni2. I tried this before I posted, but it turns out I did not export the extraction to the search so it wasn't having any effect. I exported to system and the extractions worked properly in fields.conf:
[Name]
TOKENIZER = ([^\[,\]]+)
[Applications]
TOKENIZER = ([^\[,\]]+)