Solved: Multivalue value from props transforms fields.conf

isha_rastogi · ‎02-28-2018

I've field extracting as: allowed_ip: 10.1.1.10,10.2.2.15,10.3.3.14"
Using makemv in inline gives separate values makemv delim=", " allowed_ip"
I'm trying to implement it on backend instead of writing it inline none of it is working. Used fields.conf:

[allowed_ip]
TOKENIZER=([^\,]+)

Also tried to implement it in props.conf and transforms.conf:

props.conf

[abc:pce:metadata]
EXTRACT-IP = allowed_ip

transforms.conf:

[allowed_ip]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = (?<IP>[^,]+)
SOURCE_KEY = allowed_ip

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

View solution in original post

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

gavins_k1 · ‎10-19-2018

Thanks heaps @isha_rastogi , this helped me out a lot.
search-time > index-time and all that 🙂

Multivalue value from props transforms fields.conf

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Multivalue value from props transforms fields.conf

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...