Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multivalued field extraction

Abhi89
New Member
‎08-17-2020 11:49 PM

This is the search i am using to extract key/value from the field  "RID" with multivalued "DEF"

| rex max_match=0 field=RID "(?P<key>[A-Z]+)\s+:\s+(?P<value>[^\n|\"]+)\"?,?"

RID=
"ABC: ABC-2017-5715
DEF: 4057120
DEF : 4088779
DEF : 4088782
DEF : 4088786
XYZ : https://portal.msrc.microsoft.com/en-US/"

This works fine while performed from the GUI and are extracted into new fields key & value. But the same thing when applied through transforms.conf doesnt extract anything. 

# extract multiple fields within source_key and give them key=value
SOURCE_KEY = RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,?
FORMAT = $1::$2
MV_ADD = 1

The above is the extraction used in transforms.conf with appropriate reference in props.conf. Anybody who has faced something similar and been able to fix? 

Labels (3)
Labels
0 Karma
Reply

Abhi89
New Member
‎08-18-2020 01:41 AM

Thats right @to4kawa. "RID" is an indexed field.

0 Karma
Reply

to4kawa
Ultra Champion
‎08-18-2020 12:16 AM

SOURCE_KEY = field:RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = (?m)([A-Z]+)\s*:\s*([^\"]+)$
FORMAT = $1::$2
MV_ADD = 1
REPEAT_MATCH = true

RID field is indexed field?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...