Hello fellow Splunker,
I have a question about my props.conf and transforms.conf.
I want to extract a multi valued field for the messages in which are displayed in the following .txt file.
#######################################
System: System_02
Message
--------------- RHSA-2016:0001 Important: security update - 1 12/23/16 RHSA-2016:0002 Important: security update - 2 12/24/16 RHSA-2016:0003 Important: bug fix update - 1 12/25/16
#######################################
I want to extract the messages as a multi-valued field. Therefore I have written the following props.conf and transforms.conf. (by looking at similar questions asked on splunk answers.)
props.conf
[mymessagetest]
MUST_BREAK_AFTER = #####
TIME_FORMAT = %m/%d/%y
category = Custom
disabled = false
pulldown_type = true
REPORT-mv_sec = mv_sec
transforms.conf
[mv_sec]
REGEX = (?RHSA-[\d\:]+.+)
MV_ADD = true
However, these .conf files are not extracting the messages as a multi-value field, but as one field.
Does anyone has an idea why this is happening and how I can extract a mv-field?
To be clear, the output is now one field and looks like this:
RHSA-2016:0001 Important: security update - 1 12/23/16 RHSA-2016:0002 Important: security update - 2 12/24/16 RHSA-2016:0003 Important: bug fix update - 1 12/25/16
Thank you very much for the help!
↧