Hello Splunkers,
I have the below search working fine and extracting fields so how can i add to props file to make it permanent.
index=** sourcetype=logxx | makemv delim="," rname
Hi @Splunk_rocks,
You can create fields.conf with below configuration.
[yourfield] TOKENIZER = ([^\,]+)\,?
I have not tried but looks like this one also i need
| makemv delim="|" name
I have tried below things in fields.conf but it did not worked
[myfield] TOKENIZER = ([^|]+)|? OR
[myfield ] TOKENIZER = ([^\x7c]+)
[workstations] TOKENIZER = ([^\,]+)\,?
