Solved: Multivalue value from props transforms fields.conf

isha_rastogi · ‎02-28-2018

I've field extracting as: allowed_ip: 10.1.1.10,10.2.2.15,10.3.3.14"
Using makemv in inline gives separate values makemv delim=", " allowed_ip"
I'm trying to implement it on backend instead of writing it inline none of it is working. Used fields.conf:

[allowed_ip]
TOKENIZER=([^\,]+)

Also tried to implement it in props.conf and transforms.conf:

props.conf

[abc:pce:metadata]
EXTRACT-IP = allowed_ip

transforms.conf:

[allowed_ip]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = (?<IP>[^,]+)
SOURCE_KEY = allowed_ip

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

View solution in original post

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

gavins_k1 · ‎10-19-2018

Thanks heaps @isha_rastogi , this helped me out a lot.
search-time > index-time and all that 🙂

Multivalue value from props transforms fields.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation