Solved: Re: Multiple values, same field -- how?

the_wolverine · ‎02-10-2011

I'm not sure how to workaround an issue where my field extraction is working on multiple values of the same field. For example, I have the following event that contains lines from ldap:

(this is in one event)

memberOf: CN=tina
memberOf: CN=toby
memberOf: CN=ben

My field extraction looks like this:

(?i)memberOf: (?P<memberOf>[^\n]+)

Splunk only pulls out the first instance of memberOf (CN=tina) and ignores the others. Is there a simple solution for this?

the_wolverine · ‎02-10-2011

Comments doesn't allow me to format so here's my comment as a response:

How do I configure props so that it can be referenced in transforms? The following doesn't appear to work at all:

props.conf:

[ldif] 
EXTRACT-memberOf = multivalue_ldif

transforms: [multivalue_ldif]

REGEX = (?i)memberOf: CN=(?P<memberOf>[^\,]+) 
MV_ADD = true

View solution in original post

the_wolverine · ‎02-10-2011

Comments doesn't allow me to format so here's my comment as a response:

How do I configure props so that it can be referenced in transforms? The following doesn't appear to work at all:

props.conf:

[ldif] 
EXTRACT-memberOf = multivalue_ldif

transforms: [multivalue_ldif]

REGEX = (?i)memberOf: CN=(?P<memberOf>[^\,]+) 
MV_ADD = true

the_wolverine · ‎02-11-2011

w00t. Thanks Ledion and Stephen!

Stephen_Sorkin · ‎02-11-2011

REPORT-memberOf = multivalue_ldif. The EXTRACT signifies inline regex.

gkanapathy · ‎02-10-2011

I edited your source event data to match the regex. Please verify that I edited it correctly. Thanks.

Multiple values, same field -- how?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?