Splunk Search

Making multi value field in props/transforms from auto-extracted field

_smp_
Builder

I have events that whose fields like this:

Name=[name1,name2,name3]
Application=[app1,app2,app3]

Splunk is auto-extracting the fields into single values, like this:
Field:Value
Name:[name1,name2,name3]
Application:[app1,app2,app3]

Hoping to get some help configuring props/transforms to extract these (and a bunch of other) fields as multi-value fields at search time. My understanding is that the auto-extraction happens /after/ both inline and transform extraction, so I'm not sure how I would accomplish this. Do I need to KV_MODE=none and then do some kind of explicit extraction with each field?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

493669
Super Champion

Use this regex either in conf files or at search time:

<base_search>|rex mode=sed field=Value "s/\[(.*)]/\1/"|makemv Value delim=","|mvexpand Value
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Have a look at this method of extracting multivalued field from your data.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureSplunktoparsemulti-valuefields

_smp_
Builder

Thank you somesoni2. I tried this before I posted, but it turns out I did not export the extraction to the search so it wasn't having any effect. I exported to system and the extractions worked properly in fields.conf:

[Name]
TOKENIZER = ([^\[,\]]+)

[Applications]
TOKENIZER = ([^\[,\]]+)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...