Configure extractions of multivalue fields with fields.conf

Multivalue fields are fields that can appear multiple times in an event and have a different value for each appearance. One of the more common examples of multivalue fields is that of email address fields, which typically appears two to three times in a single sendmail event--once for the sender, another time for the list of recipients, and possibly a third time for the list of Cc addresses, if one exists. If all of these fields are labeled identically (as "AddressList," for example), they lose meaning that they might otherwise have if they're identified separately as "From", "To", and "Cc".

Multivalue fields are parsed at search time, which enables you to process the resulting values in the search pipeline. Search commands that work with multivalue fields include makemv, mvcombine, mvexpand, and nomv. For more information on these and other commands see the topic on manipulating multivalue fields in the Search Manual. The complete command reference is in the Search Reference manual.

Use the TOKENIZER key to configure multivalue fields in fields.conf. TOKENIZER uses a regular expression to tell Splunk software how to recognize and extract multiple field values for a recurring field in an event. If you have Splunk Enterprise, you edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.

For more information on configuration files in general, see "About configuration files" in the Admin manual.

For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command.

Configure a multivalue field via fields.conf

If you have Splunk Enterprise, you can define a multivalue field by adding a stanza for it in fields.conf. Then add a line with the TOKENIZER key and a corresponding regular expression that shows how the field can have multiple values.

Note: If you have other attributes to set for a multivalue field, set them in the same stanza underneath the TOKENIZER line. See the fields.conf topic in the Admin manual for more information.

[<field name 1>]
TOKENIZER = <regular expression>

[<field name 2>]
TOKENIZER = <regular expression>

• <regular expression> should indicate how the field in question can take on multiple values.
• TOKENIZER defaults to empty. When TOKENIZER is empty, the field can only take on a single value.
• Otherwise the first group is taken from each match to form the set of field values.
• The TOKENIZER key is used by the where, timeline, and stats commands. It also provides the summary and XML outputs of the asynchronous search API.

Note: Tokenization of indexed fields (fields extracted at index time) is not supported. If you have set INDEXED=true for a field, you cannot also use the TOKENIZER key for that field. You can use a search-time extraction defined in props.conf and transforms.conf to break an indexed field into multiple values.

Example

Say you have a poorly formatted email log file where all of the addresses involved are grouped together under AddressList:

From:          sender@splunkexample.com
To:            recipient1@splunkexample.com, recipient2@splunkexample.com, recipient3@splunkexample.com
CC:            cc1@splunkexample.com, cc2@splunkexample.com, cc3@splunkexample.com
Subject:       Multivalue fields are out there!
X-Mailer:      Febooti Automation Workshop (Unregistered)
Content-Type:  text/plain; charset=UTF-8
Date:          Wed, 3 Nov 2017 17:13:54 +0200
X-Priority:    3 (normal)

This example from $SPLUNK_HOME/etc/system/README/fields.conf.example breaks email fields To, From, and CC into multiple values.

[To]
TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w)

[From]
TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w)

[Cc]
TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w)