Solved: Multivalue value from props transforms fields.conf

isha_rastogi · ‎02-28-2018

I've field extracting as: allowed_ip: 10.1.1.10,10.2.2.15,10.3.3.14"
Using makemv in inline gives separate values makemv delim=", " allowed_ip"
I'm trying to implement it on backend instead of writing it inline none of it is working. Used fields.conf:

[allowed_ip]
TOKENIZER=([^\,]+)

Also tried to implement it in props.conf and transforms.conf:

props.conf

[abc:pce:metadata]
EXTRACT-IP = allowed_ip

transforms.conf:

[allowed_ip]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = (?<IP>[^,]+)
SOURCE_KEY = allowed_ip

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

View solution in original post

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

gavins_k1 · ‎10-19-2018

Thanks heaps @isha_rastogi , this helped me out a lot.
search-time > index-time and all that 🙂

Multivalue value from props transforms fields.conf

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Multivalue value from props transforms fields.conf

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25