With the following data: mac_addr=01-02-03-04-05-06, 01-02-03-04-05-07, 01-02-03-04-05-08
Using this search will properly yield all the unique values of mac_addr:
* | makemv delim=", " mac_addr
Setting fields.conf as follows:
[mac_addr] INDEXED = false INDEXED_VALUE = false
While using a TOKENIZER of
([^,]\*) doesn't change the behavior of a basic search, like
What should be defined in the conf files, so that any search will yield the multivalue elements of the field, as if makemv had been specified, without having to specify makemv? Using a search macro or eventtype is an undesired alternative.
Try just specifying the following:
I would also recommend making mac_addr Common-Information-Model compliant.
I might try:
TOKENIZER = ([^,]*)(,\s*)?
But that's a guess. You can also try a search-time extraction instead:
[mysourcetype] REPORT-mac = mac_addr,mac_addr_mv [mac_addr] #whatever you need to extract mac_addr_list, something like: REGEX = mac_addr=(?<mac_addr>.*?)\s*(?=$|,\w+=) [mac_addr_mv] SOURCE_KEY = mac_addr REGEX = (?<mac_addr_mv>[^,]*)(,\s*)? MV_ADD = true
The key of course is to ensure that the list extraction happens before the mv extraction (so listing them sequentially in the same
REPORT clause guarantees that). I am not sure of the relative order of extractions for
REPORT rules in props.conf, but I think that it occurs in that very order, so that might work if mac_addr were extracted by