In my logs I'm expecting to see groups with multivalues delimited by %257. for example in my logs im expecting to see
***&group=Group1%257Group2%257Group3%257Group4&***
I've created a field extraction for GroupsMV using the regular expression group=(?[^&]*). This part seems to work when i run the query: ***group=*|stats count by GroupsMV.*** i get the expected results
The next, i tried to setup a field transformation "***(?[^%]+)(?:[%257]*)***" and have selected the checkbox " Create multivalued fields".
When i try to run the query ***group=*|stats count by site_Group.***, i get no results.
Please assist. What should i do to extract the multiple values for the parameter group?
I've gone through these document and with the second article, I don't understand where "TOKENIZER" comes into play using SPLUNK web. Do i need to apply TOKENIZER? If so, how do i do it using SPLUNK Web?
http://docs.splunk.com/Documentation/Splunk/6.0.4/Knowledge/Managefieldtransforms
https://answers.splunk.com/answers/84589/multivalue-delimited-field-extraction.html
↧