Sending events with dynamic number of fields to Splunk (array)
How do I dynamically create multi value fields in Cribl?
For example, I would like to take the following and send it as a multi value event in Splunk:
cs19=00:40:03:05:79:e1;00:40:03:05:79:d1;00:40:03:05:7a:25;00:40:03:05:7a:89;00:40:03:05:79:f1;00:40:03:05:7a:4d;00:40:03:05:79:cd;00:40:03:05:79:dd;00:40:03:05:7a:51;00:40:03:05:79:fd;00:40:03:05:78:c9;00:40:03:05:78:f1;00:40:03:05:79:0d;00:40:03:05:79:2d;00:0a:f7:fb:77:58;64:00:6a:7c:65:48;64:00:6a:7c:6d:26;64:00:6a:7c:66:d5;64:00:6a:7c:5f:66;14:18:77:6b:31:01;00:40:03:05:78:cd;64:00:6a:7c:65:b4;00:40:03:05:79:05;64:00:6a:7c:66:f2;00:40:03:05:7a:91;00:40:03:05:7a:69;00:40:03:05:79:75;00:40:03:05:79:25;00:40:03:05:7a:09;00:40:03:05:79:35;64:00:6a:7c:6d:ce;64:00:6a:7c:6b:79;14:18:77:6b:63:81
For example, this sample event can come in with anywhere from 1 to 50 different MAC addresses.
Best Answer
-
This can be accomplished by using the Eval function
with an Evaluate Fields to create a field named using the Value Expression
This will create an array called cs19, and for your example, it contains 33 values.
Send this over to Splunk as per usual, and it should come out as an index-time multi-valued field.
0
Answers
-
This can be accomplished by using the Eval function
with an Evaluate Fields to create a field named using the Value Expression
This will create an array called cs19, and for your example, it contains 33 values.
Send this over to Splunk as per usual, and it should come out as an index-time multi-valued field.
0