Solved: Re: Making multi value field in props/transforms f...

_smp_ · ‎02-19-2018

I have events that whose fields like this:

Name=[name1,name2,name3]
Application=[app1,app2,app3]

Splunk is auto-extracting the fields into single values, like this:
Field:Value
Name:[name1,name2,name3]
Application:[app1,app2,app3]

Hoping to get some help configuring props/transforms to extract these (and a bunch of other) fields as multi-value fields at search time. My understanding is that the auto-extraction happens /after/ both inline and transform extraction, so I'm not sure how I would accomplish this. Do I need to KV_MODE=none and then do some kind of explicit extraction with each field?

somesoni2 · ‎02-19-2018

Have a look at this method of extracting multivalued field from your data.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureSplunktoparsemulti-valuefields

View solution in original post

493669 · ‎02-19-2018

Use this regex either in conf files or at search time:

<base_search>|rex mode=sed field=Value "s/\[(.*)]/\1/"|makemv Value delim=","|mvexpand Value

somesoni2 · ‎02-19-2018

Have a look at this method of extracting multivalued field from your data.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureSplunktoparsemulti-valuefields

_smp_ · ‎02-19-2018

Thank you somesoni2. I tried this before I posted, but it turns out I did not export the extraction to the search so it wasn't having any effect. I exported to system and the extractions worked properly in fields.conf:

[Name]
TOKENIZER = ([^\[,\]]+)

[Applications]
TOKENIZER = ([^\[,\]]+)

Making multi value field in props/transforms from auto-extracted field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms