Can Splunk be configured to create a multi value field with auto extracted "name=value" fields.
11/2/11 08:03:00 field-one=who, field-one=what, field-one=where, field-one=why, field-one=when
field_one = who,what,where,why,when
Matty,
I just stumbled onto this and had the same issue last week. I saw a solution posted by Nick here: http://splunk-base.splunk.com/answers/10708/how-do-i-combine-mv-fields-into-a-new-field?page=1&focus...
I took that solution and wrapped it into a macro so I could call it at will from the CLI like this:
eventtype=data | `combine_two_fields(field1,field2,final_field)`
This worked splendidly and is definitely "a keeper."
Without having tested it myself, perhaps mvcombine can do the trick?
Nope. Tried all of the mvs. Everything will work if you use a rex with max_match; however, cannot get it working with auto extracted fields.
