Needing help with multiple multi-value field extraction from a multiline event.
Expecting the result of the following extraction to index each of rowA values with each of rowC identifiers, and index each of rowB values with each of rowC identifiers, and extract the endtime into the record timestamp(s).
An acceptable alternative to these associations is a record timestamped with EndTime with multivalue field rowA, multivalue field rowB, and multivalue field rowC.
RowNameA,1432,4363,6223,7543,19182,...
RowNameB,8383,2727,3221,...
RowNameC,NumericalIdentifierA,NumericalIdentifierB,...
RowNameD,TheDate,StartTime,EndTime,OtherNumbers,...
I am stuck at (,(?\d+)[^\S]+) for the regex to pull out rowA values, which unfortunately cuts across all lines. Apparently adding wildcard to the beginning of the regex misses values. Apparently the tokenizer-based approach requires named columns. Can someone demonstrate to me that Splunk is expressive enough at index time to extract the information in the manner I'm requesting?
I am working with Splunk Cloud, with data files sourced via a Heavy Forwarder. I've been unable to get the MV_ADD feature to work in transforms.conf, but have been able to get a single multi-value field to extract via the transform+field extraction console.
... View more