Solved: Multi-value fields not populating for index

ccollord · ‎04-05-2012

Hello,
I think i'm doing something wrong, but i've read through all the manuals and can't figure out what it is!

I have an index named "email" that has entries that look like this:
[MAILTO]foo@bar.com [MAILTO]dog@cat.com [MAILFROM]cat@hat.com [SUBJECT]Hi there! ....

In my props.conf file:
[email] <--- this is the name of my index
MAX_TIMESTAMP_LOOKAHEAD = 40
TZ=UTC
REPORT-email = email-mv

In my transforms.conf file:
[email-mv]
REGEX = ([[^\s]+])([^\t]+)
FORMAT = $1$2
MV_ADD = true

I've been trying various things all morning and then doing " index=email | extract reload=T ". Any ideas what i'm missing?
Thanks!
~Chris

Stephen_Sorkin · ‎04-05-2012

Two problems.

props.conf must be in terms of sourcetype, source or host, not index.
The format here should be $1::$2.

View solution in original post

ccollord · ‎04-09-2012

Thank you! "email" was also my sourcetype name so i was okay there but the change to the FORMAT fixed it!

Stephen_Sorkin · ‎04-05-2012

Two problems.

props.conf must be in terms of sourcetype, source or host, not index.
The format here should be $1::$2.

Multi-value fields not populating for index

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!