This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Configure multi-value fields in fields.conf to tell Splunk how to recognize more than one field value in a single extracted field value. Edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
Splunk parses multi-value fields at search time, and allows you to process the values in the search pipeline. Learn which search commands support multi-value fields).
Learn more about using multi-value fields.
Define a multi-value field by adding a stanza for it in $SPLUNK_HOME/etc/system/local/fields.conf. Tell Splunk how to parse values from a field value by defining a regular expression with the tokenizer key.
Note: If you have other attributes to set for a field, set them in the same stanza underneath tokenizer. See configure fields.conf for more information.
[<field name>] tokenizer = $REGEX
[<field name>]
props.conf and transforms.conf.
tokenizer
The following examples from $SPLUNK_HOME/etc/system/README/fields.conf.example break email fields To, From and CC into mutliple values.
[To] TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w) [From] TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w) [Cc] TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)