Configure extractions of multivalue fields with fields.conf
Multivalue fields are fields that can appear multiple times in an event and have a different value for each appearance. One of the more common examples of multivalue fields is that of email address fields, which typically appears two to three times in a single sendmail event--once for the sender, another time for the list of recipients, and possibly a third time for the list of Cc addresses, if one exists. If all of these fields are labeled identically (as "AddressList," for example), they lose meaning that they might otherwise have if they're identified separately as "From", "To", and "Cc".
Multivalue fields are parsed at search time, which enables you to process the resulting values in the search pipeline. Search commands that work with multivalue fields include makemv, mvcombine, mvexpand, and nomv. For more information on these and other commands see the topic on manipulating multivalue fields in the Search Manual. The complete command reference is in the Search Reference manual.
Use the TOKENIZER
key to configure multivalue fields in fields.conf. TOKENIZER
uses a regular expression to tell Splunk software how to recognize and extract multiple field values for a recurring field in an event. If you have Splunk Enterprise, you edit fields.conf
in $SPLUNK_HOME/etc/system/local/
, or your own custom app directory in $SPLUNK_HOME/etc/apps/
.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
For a primer on regular expression syntax and usage, see Regular-Expressions.info. You can test regexes by using them in searches with the rex search command.
Configure a multivalue field via fields.conf
If you have Splunk Enterprise, you can define a multivalue field by adding a stanza for it in fields.conf
. Then add a line with the TOKENIZER
key and a corresponding regular expression that shows how the field can have multiple values.
Note: If you have other attributes to set for a multivalue field, set them in the same stanza underneath the TOKENIZER
line. See the fields.conf topic in the Admin manual for more information.
[<field name 1>] TOKENIZER = <regular expression> [<field name 2>] TOKENIZER = <regular expression>
<regular expression>
should indicate how the field in question can take on multiple values.TOKENIZER
defaults to empty. WhenTOKENIZER
is empty, the field can only take on a single value.- Otherwise the first group is taken from each match to form the set of field values.
- The
TOKENIZER
key is used by the where, timeline, and stats commands. It also provides the summary and XML outputs of the asynchronous search API.
Note: Tokenization of indexed fields (fields extracted at index time) is not supported. If you have set INDEXED=true
for a field, you cannot also use the TOKENIZER
key for that field. You can use a search-time extraction defined in props.conf
and transforms.conf
to break an indexed field into multiple values.
Example
Say you have a poorly formatted email log file where all of the addresses involved are grouped together under AddressList
:
From: sender@splunkexample.com To: recipient1@splunkexample.com, recipient2@splunkexample.com, recipient3@splunkexample.com CC: cc1@splunkexample.com, cc2@splunkexample.com, cc3@splunkexample.com Subject: Multivalue fields are out there! X-Mailer: Febooti Automation Workshop (Unregistered) Content-Type: text/plain; charset=UTF-8 Date: Wed, 3 Nov 2017 17:13:54 +0200 X-Priority: 3 (normal)
This example from $SPLUNK_HOME/etc/system/README/fields.conf.example
breaks email fields To
, From
, and CC
into multiple values.
[To] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w) [From] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w) [Cc] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w)
Example transform field extraction configurations | About calculated fields |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!