Re: Multivalued field extraction

Abhi89 · ‎08-17-2020

This is the search i am using to extract key/value from the field "RID" with multivalued "DEF"

| rex max_match=0 field=RID "(?P<key>[A-Z]+)\s+:\s+(?P<value>[^\n|\"]+)\"?,?"

RID=
"ABC: ABC-2017-5715
DEF: 4057120
DEF : 4088779
DEF : 4088782
DEF : 4088786
XYZ : https://portal.msrc.microsoft.com/en-US/"

This works fine while performed from the GUI and are extracted into new fields key & value. But the same thing when applied through transforms.conf doesnt extract anything.

# extract multiple fields within source_key and give them key=value
SOURCE_KEY = RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,?
FORMAT = $1::$2
MV_ADD = 1

The above is the extraction used in transforms.conf with appropriate reference in props.conf. Anybody who has faced something similar and been able to fix?

Abhi89 · ‎08-18-2020

Thats right @to4kawa. "RID" is an indexed field.

to4kawa · ‎08-18-2020

SOURCE_KEY = field:RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = (?m)([A-Z]+)\s*:\s*([^\"]+)$
FORMAT = $1::$2
MV_ADD = 1
REPEAT_MATCH = true

RID field is indexed field?

Multivalued field extraction

field extraction

regex

rex

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation