Configure multi-value fields

Configure multi-value fields

Configure multi-value fields in fields.conf to tell Splunk how to recognize more than one field value in a single extracted field value. Edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Splunk parses multi-value fields at search time, and allows you to process the values in the search pipeline. Learn which search commands support multi-value fields).

Learn more about using multi-value fields.

Configure multi-value fields in fields.conf

Define a multi-value field by adding a stanza for it in $SPLUNK_HOME/etc/system/local/fields.conf. Tell Splunk how to parse values from a field value by defining a regular expression with the tokenizer key.

Note: If you have other attributes to set for a field, set them in the same stanza underneath tokenizer. See configure fields.conf for more information.

[<field name>]
tokenizer  = $REGEX

[<field name>]

• Set this to the name of the field you've defined in props.conf and transforms.conf.
• Add indexed or extracted fields.

tokenizer

• Define a regular expression to tell Splunk how to parse the field into multiple values.

Example

The following examples from $SPLUNK_HOME/etc/system/README/fields.conf.example break email fields To, From and CC into mutliple values.

[To]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)
[From]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)
[Cc]
TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

• Was this topic useful?
• Post a comment