Solved: Multivalue value from props transforms fields.conf

isha_rastogi · ‎02-28-2018

I've field extracting as: allowed_ip: 10.1.1.10,10.2.2.15,10.3.3.14"
Using makemv in inline gives separate values makemv delim=", " allowed_ip"
I'm trying to implement it on backend instead of writing it inline none of it is working. Used fields.conf:

[allowed_ip]
TOKENIZER=([^\,]+)

Also tried to implement it in props.conf and transforms.conf:

props.conf

[abc:pce:metadata]
EXTRACT-IP = allowed_ip

transforms.conf:

[allowed_ip]
CLEAN_KEYS = 0
MV_ADD = 1
REGEX = (?<IP>[^,]+)
SOURCE_KEY = allowed_ip

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

View solution in original post

isha_rastogi · ‎02-28-2018

able to solve it .. used split in eval command:
eval allowed_ip=split(allowed_ip,",") and it worked perfectly

gavins_k1 · ‎10-19-2018

Thanks heaps @isha_rastogi , this helped me out a lot.
search-time > index-time and all that 🙂

Multivalue value from props transforms fields.conf

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability