I’m working with CEF logs in Splunk where some fields contain comma-separated values. Goal Find a generic solution so that any field containing comma-separated values is automatically treated as a true multi-value field during field extraction — without needing to define each field name individually in props.conf file. Example event: CEF:0|vendor|product|1.0||||dst_ip=172.18.20.16,172.18.20.12,172.18.20.13,172.18.20.10|src_ip=10.1.1.1,10.1.1.2|user_list=alice,bob,charlie|error_codes=ERR101,ERR102|app_names=Splunk,ServiceNow,Elastic|location=datacenter-1|priority=high|status=open Current config 1. props.conf: [my:sourecetype] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true REPORT-generic_field_extraction = generic_key_value_extraction EVAL-dst_ip = split(dst_ip, ",") EVAL-src_ip = split(src_ip, ",") EVAL-user_list = split(user_list, ",") EVAL-error_codes = split(error_codes, ",") EVAL-app_names = split(app_names, ",") 2. transforms.conf: [generic_key_value_extraction] REGEX = (?<_KEY_1>[^=|]+)=(".*?"|[^|]+) FORMAT = $1::$2 MV_ADD = true
... View more