What is the best way to extract into a single field mutiple values from a comma-seperated list:
Example: xxxx Books:1,2,3,65,2,5 xxxxxx
From this I have created a field called Books which contains the string 1,2,3,65,2,5 however what I would like to do is create a field called Books which takes each value as a single entry.
So from the above example I would have 6 entries in the field Book for this particular log entry.
asked 15 Apr '10, 11:30
If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time:
Books = * | makemv delim="," Books
answered 15 Apr '10, 12:43
This can be easily done through regex on your props.conf & transforms.conf:
[sourcetype_for_the_csv] REPORT-multifield = multifield
[multifield] REGEX = Books:(\d+,\d+,\d+,\d+,\d+,\d+) FORMAT = book::$1