Refine your search:

multivalue fields and fields.conf

1
4

With the following data: mac_addr=01-02-03-04-05-06, 01-02-03-04-05-07, 01-02-03-04-05-08

Using this search will properly yield all the unique values of mac_addr:

* | makemv delim=", " mac_addr

Setting fields.conf as follows:

[mac_addr]
INDEXED = false
INDEXED_VALUE = false

While using a TOKENIZER of ([^,]\*) doesn't change the behavior of a basic search, like "*".

What should be defined in the conf files, so that any search will yield the multivalue elements of the field, as if makemv had been specified, without having to specify makemv? Using a search macro or eventtype is an undesired alternative.

Thanks!

asked 01 Aug '10, 19:47

Ron%20Naken's gravatar image

Ron Naken
3.0k320
accept rate: 35%

edited 31 May '11, 12:48

jlaw's gravatar image

jlaw ♦
20113
4 Answers:
oldestnewestmost voted
6

I might try:

TOKENIZER = ([^,]*)(,\s*)?

But that's a guess. You can also try a search-time extraction instead:

[mysourcetype]
REPORT-mac = mac_addr,mac_addr_mv

[mac_addr]
#whatever you need to extract mac_addr_list, something like:
REGEX = mac_addr=(?<mac_addr>.*?)\s*(?=$|,\w+=)

[mac_addr_mv]
SOURCE_KEY = mac_addr
REGEX = (?<mac_addr_mv>[^,]*)(,\s*)?
MV_ADD = true

The key of course is to ensure that the list extraction happens before the mv extraction (so listing them sequentially in the same REPORT clause guarantees that). I am not sure of the relative order of extractions for KV_MODE=auto, EXTRACT, and REPORT rules in props.conf, but I think that it occurs in that very order, so that might work if mac_addr were extracted by KV_MODE or EXTRACT rules.

link

answered 02 Aug '10, 18:13

gkanapathy's gravatar image

gkanapathy ♦
26.4k1622
accept rate: 42%

edited 02 Aug '10, 20:25

2

Try just specifying the following:

[mac_addr]
TOKENIZER=([^\,]+)

I would also recommend making mac_addr Common-Information-Model compliant.

link

answered 02 Aug '10, 03:35

araitz's gravatar image

araitz ♦♦
7.1k2516
accept rate: 38%

2

Tokenizer didn't seem to work as expected. The search-time extraction worked like a charm.

link

answered 09 Feb '11, 10:10

Ron%20Naken's gravatar image

Ron Naken
3.0k320
accept rate: 35%

ron, which tokenizer suggestion didn't work, araitz's or gkanapathy's? Or both?

(25 Apr '11, 14:59) blurblebot
1

Can someone expand on how to get the tokenizer working in this example?

link

answered 25 Jul '11, 12:49

ehoward's gravatar image

ehoward
211
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×166
×60
×16

Asked: 01 Aug '10, 19:47

Seen: 1,077 times

Last updated: 10 Aug '11, 14:33

Related questions

Regex tokenizer when the multivalue field has values within an event that are not always connected in a structured way?

Comparing multivalue fields

Problems Comparing Multivalue Fields

Why is transaction not making multivalue fields in event order?

CIDR search against multivalue fields

Trouble with MultiValue Fields

weirdness using max() and min() in eval, operating on numeric multivalue fields

How do I refer to the first, nth or last value of a multivalue field?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.