Solved: Multivalue value from props transforms fields.conf

isha_rastogi · ‎02-28-2018

I've field extracting as: allowed_ip: 10.1.1.10,10.2.2.15,10.3.3.14"
Using makemv in inline gives separate values makemv delim=", " allowed_ip"
I'm trying to implement it on backend instead of writing it inline none of it is working. Used fields.conf:

[allowed_ip]
TOKENIZER=([^\,]+)

Also tried to implement it in props.conf and transforms.conf:

props.conf

[abc:pce:metadata]
EXTRACT-IP = allowed_ip

transforms.conf:

[allowed_ip]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = (?<IP>[^,]+)
SOURCE_KEY = allowed_ip

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

View solution in original post

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

gavins_k1 · ‎10-19-2018

Thanks heaps @isha_rastogi , this helped me out a lot.
search-time > index-time and all that 🙂

Multivalue value from props transforms fields.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation