Hi to everyone,
If I have this data, a lot of IPs, how can I extract multiple values for a field? (For a config file, not search) For example:
Ip_address=10.1.144.80, 10.1.148.183, etc.
{
10.1.144.80
10.1.148.183
10.20.213.111
10.26.154.46
10.26.158.154
10.26.158.176
10.70.39.4
10.26.158.177
10.76.0.60
10.76.0.71
10.1.144.58
10.76.22.69
10.76.0.58
10.26.194.100
10.76.0.44
10.76.0.56
10.76.24.118
}
I'll be grateful for your help
Regards
Use MV_ADD=true
. Read more here.
Or you could use fields.conf or check out this answer using props.conf & transforms.conf.
Just add this to your search:
... | rex "([[ipv4]])" | makemv ip
Or, if your ip is already extracted as Ip_address
, you can make it multivalued with makemv
:
... | makemv Ip_address
Use MV_ADD=true
. Read more here.
Or you could use fields.conf or check out this answer using props.conf & transforms.conf.
Just add this to your search:
... | rex "([[ipv4]])" | makemv ip
Or, if your ip is already extracted as Ip_address
, you can make it multivalued with makemv
:
... | makemv Ip_address
Nitpicking: The "Permanently" approach is also search-time 😛
You are right. Edited.
WOW i didn't know about
| rex "([[ipv4]])"
Is there a list somewhere with all other regexes that ship with splunk?
@theeansible check transforms.conf
At the bottom, you'll see
###### BASIC MODULAR REGULAR EXPRESSIONS DEFINITION START ###########
🙂
Thanks you aljohnson, but i need it for a permanent extraction, not in the search.
I see. I edited my answer to reference permanent extractions.
Thanks you very much