I am having a problem extracting multivalued fields. I think it's because this particular field is quoted.
ids=\"XXX-404994280,XXX-404993710,XXX-335205060,XXX-404991340,XXX-335203510\"
The following search: index=app_logs env=prod | makemv delim="," ids | mvexpand ids
Does not yield the expected results of 5 new events.
It seems like this is a bug in the way Splunk evaluates multi valued fields that is agitated by the slash and the quote so I was trying to get around this problem by removing the
\"
It seems like Splunk must run the rex commands after the mv commands. Is there any way to force it to run rex first? Is there any documentation on the order of operations of the splunk commands?
... View more