Previous Topic: Cannot only add one Windows event log | Next Topic: splunk -wmi.exe application crash
I tried to index some multi-value fields
transforms.conf:
[mgr-subject]
REGEX = Subject:\s(.*)
FORMAT = $0 subject::$1
DEST_KEY = _meta
fields.conf
[subject]
indexed = true
tokenizer = (\w+)
The Input is a Mail Subject field, e.g.:
Subject: This is a test Subject
Currently only "This" gets indexed.
Any suggestions?
I don't think that this is a multi-valued field - the value is "This is a test Subject". A multivalued field would be, for example, when multiple To: email addresses appear in the same email.
I think you need to fix the transform:
transforms.conf:
[mgr-subject]
REGEX = Subject:\s(.*)$
FORMAT = $0 subject::$1
DEST_KEY = _meta
You must be logged in to post a reply.
Flash required to play this video.
Click here to download the free Flash Player.