I have a string in my log file that consists of a list of URL query parameters which are automatically extracted to new fields, so source looks like...
graph?node=100021+101024&sort=product.review.avg_rating|desc&groupby=product.code&offset=0&nbins=8
From this automatic extractions produce new fields for each of the name-value pairs, so for example I end up with a new field node with a value of 100021+101024, the problem with this is that those values are a delimited list with a + delimiter. So I've added a stanza to transforms.conf to extract each value into a new field dim_val_id.
[dimvalid]
SOURCE_KEY = node
DELIMS = "+"
MV_ADD = true
FIELDS = "dim_val_id"
For some reason though I don't get a dim_val_id field unless I add | extract reload=t to my search query. If I remove the extract dim_val_id disappears. My theory is that the node hasn't been extracted yet when my transform runs and that is why I don't get a dim_val_id field. Does anyone know how to get around this or have another suggested approach?
As extra credit, this transform doesn't exactly work as I would like. Even-though I have specified MV_ADD = true I will only get the first value in my new field unless I list dim_val_id multiple times in the FIELDS list.
in your first extraction, you can nest capture groups: =((\d+)\+(\d+))&
That presumes you're using a transform to get at the data in the first place instead of any sort of autokv or something.
/edited to fix silly formatting problems
// grumble, markdown languages
/// something about my lawn