I am extracting fields from tabular data containing headers with entries in props.conf like the following:
EXTRACT-categories = (?i)^(?:[^\t]*\t){24}(?P<%FieldName%>[^\t]+)
It is working as desired, though it may not be the best method. If you know of a better way please advise.
One of the extracted fields contains multivalue data delimited with pipes. For example the data after the 24th tab looks like the below:
option1|option2|option3
Currently this is being extracted as categories=option1|option2|option3 but this results in more categories than exist due to all the possible combinations of options. I'd like each event to be categories=option1 categories=option2 so they are listed as option1 and option2 not option1|option2.
I have tried various attempts including the below from splunkbase but I can't seem to get anything to work.
props.conf
[eventtypename]
REPORT-categories = mv-categories
transforms.conf
[mv-categories]
REX = (?i)^(?:[^\t]*\t){24}(?P<%fieldname%>\w+[^\|]|[^\t])
MV_ADD = true
Can anyone point me towards a better solution?