I have log in the following format:
In order to extract these fields, I used both props.conf and transform.conf:
[my_format] REPORT-my_format = my_format
[my_format] FORMAT = $1::$2 REGEX = ([a-zA-Z0-9_]+)=([^|]+) MV_ADD = true
I am able to get the following fields:
time=12345678 hostname=shayh product=blade1<>blade2<>blade3 username:firstname.lastname@example.org
I noticed that I have an issue only with multi-value fields extraction.
multi-value fields may contains many values separated by "<>".
How can I change my settings to support current behavior with multi-value fields extraction?
I succeeded to split it using fields.conf and TOKENIZER but on Splunk UI I still see it as:
Is it possible to solve it too? maybe by replacing <> with \n)?
| makeresults | eval _raw="time=12345678|hostname=shayh|product=blade1<>blade2<>blade3|username:email@example.com|" | kv | eval product=split(product,"<>")
Fields » Calculated fields » Add new
eval expression is #4
It looks like your current REGEX will work except for the 'username' field since it is not in K=V format. I would let Splunk extract the 'product' field as-is and use the
split function to break it up at search time.
Here is an example:
Right now the pairs are perfect but I would like that field 'product' (for example) will be multi-value