How can I use props and transforms to extract mult...

nareshinsvu · ‎02-06-2023

Hi experts there,

Trying to extract multivalue output from a multiline json field through props and transforms. How best can I achieve for the below sample data (for my_mvdata field) ?

I can write a regex in pros.conf with \\t delimiter. But only getting the first line. How to use multi add and do it through transforms?

{
something: false
somethingelse: true
blah:
blah:
my_mvdata: server1	count1	country1	code1	message1
server2	count1	country1	code1	message2
server3	count1	country1	code1	message3
server4	count1	country1	code1	message4
blah:
blah:
}

gcusello · ‎02-06-2023

Hi @nareshinsvu,

this seems to be a json format, so use on your props.conf:

INDEXED_EXTRACTIONS = JSON

remember that only for this parameter, it's mandatory to put the props.conf both on Universal Forwarders, Indexers and Search Heads.

Ciao.

Giuseppe

nareshinsvu · ‎02-06-2023

Sure @gcusello , and what else should I put in the conf files to extract that fields as multivalued

gcusello · ‎02-06-2023

Hi @nareshinsvu,

the above option is useful to extract all the fields as multivalue.

in addition you should add also

SHOULD_LINEMERGE = true

but in my opinion, the best approach is:

take a sample of your logs in a file,
ingest it using the GUI guided procedure to choose the correct sourcetype,
copy the found sourcetype in all the systems interested to this ingestion.

Ciao.

Giuseppe

How can I use props and transforms to extract multiline muntivalue event?

field extraction

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?