This is a follow-up to [my previous question][1].
[1]: https://answers.splunk.com/answers/481518/how-to-extract-a-multivalue-index-time-field-from.html
In there, I managed to extract a multivalue index-time field, but could not use that one to extract another one from it. Right now I'm planning a workaround. I already have a multivalue mainKey, but want to extract a subKey from it, and do it not on search line, if possible, but in the props/transforms.
Here is the search string, that I'm using right now:
index = "testIndexTimeFields" sourcetype = "testIndexFields" | rex field=mainKey "^[a-zA-Z]*(?P\d+)$"
And it does exactly what I expect: for those events where mainKey is multivalue, the corresponding values of subKey are extracted from each individual mainKey wherever possible, creating multivalue subKey when there is more than one parseable mainKey value.
Is there any good way to mimic that search time extraction in `props.conf`/`transforms.conf`? So far I tried some REPORTS to no avail...
The documentation is extremely vague on, for example, SOURCE_KEY value, but I did try both SOURCE_KEY=mainKey and `SOURCE_KEY=field:mainKey` with no success. Any ideas?
I check the functionality by adding `| table mainKey, subKey` to that search string and looking at the results. My objective would be to remove that `| rex ...` part, slap on the same `| table...` and still get the same results, thanks to the props and transforms performing that extraction for me.
↧
