|
Hello All, What is the best way to extract into a single field mutiple values from a comma-seperated list: Example: xxxx Books:1,2,3,65,2,5 xxxxxx From this I have created a field called Books which contains the string 1,2,3,65,2,5 however what I would like to do is create a field called Books which takes each value as a single entry. So from the above example I would have 6 entries in the field Book for this particular log entry. |
|
If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time: Books = * | makemv delim="," Books Just in case, the other option is to use transforms.conf and fields.conf http://wiki.splunk.com/Community:Comma-Separated_Multi-Value_Field_Extraction_In_Single-line_Event
(06 Nov '11, 10:50)
Masa ♦
|
|
This can be easily done through regex on your props.conf & transforms.conf:
[sourcetype_for_the_csv] REPORT-multifield = multifield
[multifield] REGEX = Books:(\d+,\d+,\d+,\d+,\d+,\d+) FORMAT = book::$1 |
