Solved: Re: Extracting multiple field values from a comma ...

Josh · ‎04-15-2010

Hello All,

What is the best way to extract into a single field mutiple values from a comma-seperated list:

Example: xxxx Books:1,2,3,65,2,5 xxxxxx

From this I have created a field called Books which contains the string 1,2,3,65,2,5 however what I would like to do is create a field called Books which takes each value as a single entry.

So from the above example I would have 6 entries in the field Book for this particular log entry.

bwooden · ‎04-15-2010

If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time:

Books = * | makemv delim="," Books

View solution in original post

bwooden · ‎04-15-2010

If you have extracted the field Books with a single value of 1,2,3,65,2,5 and want it to report as a multi-valued attribute, try this at search time:

Books = * | makemv delim="," Books

Masa · ‎11-06-2011

Just in case, the other option is to use transforms.conf and fields.conf

http://wiki.splunk.com/Community:Comma-Separated_Multi-Value_Field_Extraction_In_Single-line_Event

BunnyHop · ‎04-15-2010

This can be easily done through regex on your props.conf & transforms.conf:

props.conf

[sourcetype_for_the_csv]
REPORT-multifield = multifield

transforms.conf

[multifield]
REGEX = Books:(\d+,\d+,\d+,\d+,\d+,\d+)
FORMAT = book::$1

Extracting multiple field values from a comma seperated list

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases