cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kimle
Engager
Member since: ‎11-21-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎11-21-2019
Activity Feed
View All

Re: Why is CSV data with multiple values in one ce...

by in Splunk Search
‎11-22-2019 03:02 PM
‎11-22-2019 03:02 PM
I found a solution to my issue. I found an article abut fields.conf from https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/ConfigureSplunktoparsemulti-valuefields Using what suggested in the docs, I created fields.conf file in $SPLUNK_HOME/etc/system/local/. In this file, I added [my_fieldname] TOKENIZER = \S+ You can create a regex pattern to look to IPs, but in my case all of my IPs are separated by space, so I used the regex to get anything that is not non-whitespace and did the trick! Thanks everyone for helping! : ) ... View more

Why is CSV data with multiple values in one cell p...

by in Splunk Search
‎11-21-2019 04:24 PM
‎11-21-2019 04:24 PM
I'm trying to upload a CSV file into Splunk, however, it doesn't seem to parse it correctly for the multiple values fields. Here is the data I have: rule,source_address, dest_address, proto Test, 1.1.1.1 1.2.2.2 1.3.3.3, 4.4.4.4 4.4.5.5, icmp https I want all the source address/dest address/application in a separate row so that they are independent for searching, but I couldn't get it to work. After I uploaded the file, if I looked at the extracted field for source_address, it will show all three in 1 line (e.g source_address="1.1.1.1 1.2.2.2 1.3.3.3") instead of 3 unique values Desire output when running " index=test | table rule, source_address, dest_address, proto " without EVAL, makemv, etc: For now, I have: I have tried modifying props.conf and transforms.conf such as the following and other suggestions I found in https://answers.splunk.com/, but nothing seems to work. props.conf: [my_sourcetype] DELIMS = "," FIELDS = rule, source_address, dest_address, proto REPORT-extract_space = extract_space transforms.conf [extract_space] DELIMS = " " FIELDS = source_address, dest_address, proto How can I get these columns to parse correctly? Please help! Thanks in advance! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM