Can anyone provide assistance for extracting multiple field values with same field name? My log is something like this:
10:10:34 scan_date="2014-05-24 10:10:34" ip=192.168.1.1 port=445 protocol=tcp results="- NULL sessions are enabled on the remote host " cve=CVE-1999-0503 cve=CVE-1999-0504 cve=CVE-1999-0505 cve=CVE-1999-0506 cve=CVE-2000-0222 cve=CVE-2002-1117 mskb=Q132679 mskb=Q143474 mskb=Q289655
As you can observe I have multiple CVE and MSKB values and Splunk stops after extracting first value. I would like to extract all of them. Any suggestions? Any input would be helpful.
Hi splunkingsplunker,
have you tried adding MV_ADD
in transforms.conf for that sourcetype?
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls what the extractor does when it finds a field which already exists.
* If set to true, the extractor makes the field a multivalued field and appends the
* newly found value, otherwise the newly found value is discarded.
* Defaults to false
hope this helps ...
cheers, MuS