I have a use case that uses an indexed field that is configured at input time:
[monitor:///my/input/file1]
_meta = new_field::value1
[monitor:///my/input/file2]
_meta = new_field::value1,value2
Is it possible to make new_field
a true multi value field, so that a particular event could have a list of values and I can search on new_field=value1
rather than new_field=value1*
or new_field=*value2
?
I know this is a really old post, but in case someone else comes across this, to create a multivalue _meta field, use this syntax:
_meta = new_field::value1 new_field::value2
@adam.reber - Were you able to test out gvmorley's solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!
Hi,
Maybe not exactly what you're looking for, but for different sources / sourcetypes, you could add an EVAL
in props.conf
EVAL-new_field = mvappend("value1","value2","value3")
Again, just one quick workaround.