We have updated our Terms of Service, Code of Conduct, and Addendum.

Sending events with dynamic number of fields to Splunk (array)

Louise Tang
Louise Tang Posts: 13 mod

How do I dynamically create multi value fields in Cribl?
For example, I would like to take the following and send it as a multi value event in Splunk:

cs19=00:40:03:05:79:e1;00:40:03:05:79:d1;00:40:03:05:7a:25;00:40:03:05:7a:89;00:40:03:05:79:f1;00:40:03:05:7a:4d;00:40:03:05:79:cd;00:40:03:05:79:dd;00:40:03:05:7a:51;00:40:03:05:79:fd;00:40:03:05:78:c9;00:40:03:05:78:f1;00:40:03:05:79:0d;00:40:03:05:79:2d;00:0a:f7:fb:77:58;64:00:6a:7c:65:48;64:00:6a:7c:6d:26;64:00:6a:7c:66:d5;64:00:6a:7c:5f:66;14:18:77:6b:31:01;00:40:03:05:78:cd;64:00:6a:7c:65:b4;00:40:03:05:79:05;64:00:6a:7c:66:f2;00:40:03:05:7a:91;00:40:03:05:7a:69;00:40:03:05:79:75;00:40:03:05:79:25;00:40:03:05:7a:09;00:40:03:05:79:35;64:00:6a:7c:6d:ce;64:00:6a:7c:6b:79;14:18:77:6b:63:81

For example, this sample event can come in with anywhere from 1 to 50 different MAC addresses.

Best Answer

  • Louise Tang
    Louise Tang Posts: 13 mod
    Answer ✓

    This can be accomplished by using the Eval function

    with an Evaluate Fields to create a field named using the Value Expression

    This will create an array called cs19, and for your example, it contains 33 values.

    Send this over to Splunk as per usual, and it should come out as an index-time multi-valued field.

Answers

  • Louise Tang
    Louise Tang Posts: 13 mod
    Answer ✓

    This can be accomplished by using the Eval function

    with an Evaluate Fields to create a field named using the Value Expression

    This will create an array called cs19, and for your example, it contains 33 values.

    Send this over to Splunk as per usual, and it should come out as an index-time multi-valued field.