I'm using props.conf and transforms.conf to extract fields with delimiters, some of which are multi-valued. Example:
in transforms.conf:
BHT_Fields]
DELIMS = '*'
FIELDS = BHT_1,BHT_2,BHT_3,BHT_4,BHT_5,BHT_6
SOURCE_KEY = BHT
The following data extracts to:
BHT*0006*12*119283254-20254*20170728*102604*18
BHT_1 = 0006
BHT_2 = 12
...etc.
But for another field:
[DMG_Fields]
DELIMS = '*'
FIELDS = DMG_1,DMG_2,DMG_3
SOURCE_KEY = DMG
This field has multiple values:
DMG*D8*19820811*M
DMG*D8*19610130*U
It extracts to:
DMG_1 = D8
DMG_2 = 19820811
DMG_3 = M D8
...and that's it. It grabs the beginning of the second row (into the last field of the first row), then doesn't grab anything else.
I've got MV_ADD = true in transforms.conf
How do I get splunk to extract that second row?
Try changing your transforms.conf entry like this
[DMG_Fields]
REGEX = DMG\*([^\*]+)\*([^\*]+)\*([^\*]+)
FORMAT = DMG_1::$1 DMG_2::$2 DMG_3::$3
SOURCE_KEY = DMG
MV_ADD = true
I tried your suggestion, but it returned nothing.