I found a solution to my issue. I found an article abut fields.conf from https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/ConfigureSplunktoparsemulti-valuefields
Using what suggested in the docs, I created fields.conf file in $SPLUNK_HOME/etc/system/local/. In this file, I added
TOKENIZER = \S+
You can create a regex pattern to look to IPs, but in my case all of my IPs are separated by space, so I used the regex to get anything that is not non-whitespace and did the trick!
Thanks everyone for helping! : )
... View more
I'm trying to upload a CSV file into Splunk, however, it doesn't seem to parse it correctly for the multiple values fields.
Here is the data I have:
rule,source_address, dest_address, proto
Test, 126.96.36.199 188.8.131.52 184.108.40.206, 220.127.116.11 18.104.22.168, icmp https
I want all the source address/dest address/application in a separate row so that they are independent for searching, but I couldn't get it to work. After I uploaded the file, if I looked at the extracted field for source_address, it will show all three in 1 line (e.g source_address="22.214.171.124 126.96.36.199 188.8.131.52") instead of 3 unique values
Desire output when running " index=test | table rule, source_address, dest_address, proto " without EVAL, makemv, etc:
For now, I have:
I have tried modifying props.conf and transforms.conf such as the following and other suggestions I found in https://answers.splunk.com/, but nothing seems to work.
DELIMS = ","
FIELDS = rule, source_address, dest_address, proto
REPORT-extract_space = extract_space
DELIMS = " "
FIELDS = source_address, dest_address, proto
How can I get these columns to parse correctly? Please help!
Thanks in advance!
... View more