Re: Multivalued field extraction

Abhi89 · ‎08-17-2020

This is the search i am using to extract key/value from the field "RID" with multivalued "DEF"

| rex max_match=0 field=RID "(?P<key>[A-Z]+)\s+:\s+(?P<value>[^\n|\"]+)\"?,?"

RID=
"ABC: ABC-2017-5715
DEF: 4057120
DEF : 4088779
DEF : 4088782
DEF : 4088786
XYZ : https://portal.msrc.microsoft.com/en-US/"

This works fine while performed from the GUI and are extracted into new fields key & value. But the same thing when applied through transforms.conf doesnt extract anything.

# extract multiple fields within source_key and give them key=value
SOURCE_KEY = RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = ([A-Z]+)\s+:\s+([^\n|\"]+)\"?,?
FORMAT = $1::$2
MV_ADD = 1

The above is the extraction used in transforms.conf with appropriate reference in props.conf. Anybody who has faced something similar and been able to fix?

Abhi89 · ‎08-18-2020

Thats right @to4kawa. "RID" is an indexed field.

to4kawa · ‎08-18-2020

SOURCE_KEY = field:RID
#REGEX = ([A-Z]+)\s+\:\s+([^\s|\n|\"]+)\"?,?
REGEX = (?m)([A-Z]+)\s*:\s*([^\"]+)$
FORMAT = $1::$2
MV_ADD = 1
REPEAT_MATCH = true

RID field is indexed field?

Multivalued field extraction

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation