Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

multivalue fields and fields.conf

Ron_Naken
Splunk Employee
Splunk Employee
‎08-01-2010 07:47 PM

With the following data: mac_addr=01-02-03-04-05-06, 01-02-03-04-05-07, 01-02-03-04-05-08

Using this search will properly yield all the unique values of mac_addr:

* | makemv delim=", " mac_addr

Setting fields.conf as follows:

[mac_addr]
INDEXED = false
INDEXED_VALUE = false

While using a TOKENIZER of ([^,]\*) doesn't change the behavior of a basic search, like "*".

What should be defined in the conf files, so that any search will yield the multivalue elements of the field, as if makemv had been specified, without having to specify makemv? Using a search macro or eventtype is an undesired alternative.

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2010 06:13 PM

I might try:

TOKENIZER = ([^,]*)(,\s*)?

But that's a guess. You can also try a search-time extraction instead:

[mysourcetype]
REPORT-mac = mac_addr,mac_addr_mv

[mac_addr]
#whatever you need to extract mac_addr_list, something like:
REGEX = mac_addr=(?<mac_addr>.*?)\s*(?=$|,\w+=)

[mac_addr_mv]
SOURCE_KEY = mac_addr
REGEX = (?<mac_addr_mv>[^,]*)(,\s*)?
MV_ADD = true

The key of course is to ensure that the list extraction happens before the mv extraction (so listing them sequentially in the same REPORT clause guarantees that). I am not sure of the relative order of extractions for KV_MODE=auto, EXTRACT, and REPORT rules in props.conf, but I think that it occurs in that very order, so that might work if mac_addr were extracted by KV_MODE or EXTRACT rules.

View solution in original post

Reply
Solved! Jump to solution

ehoward
Path Finder
‎07-25-2011 12:49 PM

Can someone expand on how to get the tokenizer working in this example?

Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-09-2011 10:10 AM

Tokenizer didn't seem to work as expected. The search-time extraction worked like a charm.

Reply
Solved! Jump to solution

blurblebot
Communicator
‎04-25-2011 02:59 PM

ron, which tokenizer suggestion didn't work, araitz's or gkanapathy's? Or both?

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-02-2010 06:13 PM

I might try:

TOKENIZER = ([^,]*)(,\s*)?

But that's a guess. You can also try a search-time extraction instead:

[mysourcetype]
REPORT-mac = mac_addr,mac_addr_mv

[mac_addr]
#whatever you need to extract mac_addr_list, something like:
REGEX = mac_addr=(?<mac_addr>.*?)\s*(?=$|,\w+=)

[mac_addr_mv]
SOURCE_KEY = mac_addr
REGEX = (?<mac_addr_mv>[^,]*)(,\s*)?
MV_ADD = true

The key of course is to ensure that the list extraction happens before the mv extraction (so listing them sequentially in the same REPORT clause guarantees that). I am not sure of the relative order of extractions for KV_MODE=auto, EXTRACT, and REPORT rules in props.conf, but I think that it occurs in that very order, so that might work if mac_addr were extracted by KV_MODE or EXTRACT rules.

Reply
Solved! Jump to solution

jpass
Contributor
‎02-20-2013 12:41 PM

There's two answers here. Which one worked?

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎08-02-2010 03:35 AM

Try just specifying the following:

[mac_addr]
TOKENIZER=([^\,]+)

I would also recommend making mac_addr Common-Information-Model compliant.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...