Splunk Search
Highlighted

Making multi value field in props/transforms from auto-extracted field

Builder

I have events that whose fields like this:

Name=[name1,name2,name3]
Application=[app1,app2,app3]

Splunk is auto-extracting the fields into single values, like this:
Field:Value
Name:[name1,name2,name3]
Application:[app1,app2,app3]

Hoping to get some help configuring props/transforms to extract these (and a bunch of other) fields as multi-value fields at search time. My understanding is that the auto-extraction happens /after/ both inline and transform extraction, so I'm not sure how I would accomplish this. Do I need to KV_MODE=none and then do some kind of explicit extraction with each field?

0 Karma
Highlighted

Re: Making multi value field in props/transforms from auto-extracted field

SplunkTrust
SplunkTrust
Highlighted

Re: Making multi value field in props/transforms from auto-extracted field

Builder

Thank you somesoni2. I tried this before I posted, but it turns out I did not export the extraction to the search so it wasn't having any effect. I exported to system and the extractions worked properly in fields.conf:

[Name]
TOKENIZER = ([^\[,\]]+)

[Applications]
TOKENIZER = ([^\[,\]]+)

0 Karma
Highlighted

Re: Making multi value field in props/transforms from auto-extracted field

Super Champion

Use this regex either in conf files or at search time:

<base_search>|rex mode=sed field=Value "s/\[(.*)]/\1/"|makemv Value delim=","|mvexpand Value
0 Karma