Solved: Multivalue delimited field extraction using SPLUNK...

spammenot66 · ‎03-12-2016

In my logs I'm expecting to see groups with multivalues delimited by %257. for example in my logs im expecting to see
&group=Group1%257Group2%257Group3%257Group4&

I've created a field extraction for GroupsMV using the regular expression group=(?[^&]*). This part seems to work when i run the query (i get the expected results):

group=*|stats count by GroupsMV

The next, i tried to setup a field transformation "(?[^%]+)(?:[%257])*" and have selected the checkbox " Create multivalued fields".

When i try to run the query bewloe, i get no results.

group=*|stats count by site_Group

Please assist. What should i do to extract the multiple values for the parameter group?

I've gone through these document and with the second article, I don't understand where "TOKENIZER" comes into play using SPLUNK web. Do i need to apply TOKENIZER? If so, how do i do it using SPLUNK Web?

http://docs.splunk.com/Documentation/Splunk/6.0.4/Knowledge/Managefieldtransforms
https://answers.splunk.com/answers/84589/multivalue-delimited-field-extraction.html

jkat54 · ‎03-13-2016

In short, when you create the multivalued extractions via splunk web, tokenizer is not available.

Your only option i know of are the mv commands... makemv, mvextract, mvexpand, etc.

If you're using splunk cloud, the only way i know to create the fields.conf file is to create your own app, have splunk approve of it for the cloud offering (become a splunk developer), etc.

Maybe you can hit your splunk cloud rest api and create a fields.conf that way, never tried. If you're using splunk enterprise it should be rather simple. If you want better help, please let us know what version of splunk you are using... ent, cloud, trial, and the version number.

View solution in original post

jkat54 · ‎03-13-2016

In short, when you create the multivalued extractions via splunk web, tokenizer is not available.

Your only option i know of are the mv commands... makemv, mvextract, mvexpand, etc.

If you're using splunk cloud, the only way i know to create the fields.conf file is to create your own app, have splunk approve of it for the cloud offering (become a splunk developer), etc.

Maybe you can hit your splunk cloud rest api and create a fields.conf that way, never tried. If you're using splunk enterprise it should be rather simple. If you want better help, please let us know what version of splunk you are using... ent, cloud, trial, and the version number.

spammenot66 · ‎03-14-2016

I'm currently using an onpremise solution with only access to SPLUNK web. Thank you for confirming its not available in SPLUNK web. I'll connect with my admin to make the necessary update to run TOKENIZE. Hopefully one day this will be available in SPLUNK web before SPLUNK 10 😛

jkat54 · ‎03-14-2016

Thanks for marking as the solution. Let us know if anything else comes up.

spammenot66 · ‎03-13-2016

Does anyone know if defining a Tokenizer is available in SPLUNK Web? as noted in this doc?
http://docs.splunk.com/Documentation/Splunk/6.0.1/Knowledge/ConfigureSplunktoparsemulti-valuefields

[]
TOKENIZER =

jkat54 · ‎03-12-2016

When you create an extraction called site_Group then your root search of group=* is no longer valid... Right?

You can look at the job inspector (magnifying glass) that appears when the job completes. It will show how many events go into a command and how many come out of the command. That might help you.

spammenot66 · ‎03-13-2016

@jkat54, no that doesn't sound right, when i created the field extraction, as well as field transformation, the root search for group=* still works. I can still run these two:

group=*|stats count by GroupsMV
group=*|stats count by group

Multivalue delimited field extraction using SPLUNK Web

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...