Sending events with dynamic number of fields to Splunk (array)

How do I dynamically create multi value fields in Cribl?
For example, I would like to take the following and send it as a multi value event in Splunk:

cs19=00:40:03:05:79:e1;00:40:03:05:79:d1;00:40:03:05:7a:25;00:40:03:05:7a:89;00:40:03:05:79:f1;00:40:03:05:7a:4d;00:40:03:05:79:cd;00:40:03:05:79:dd;00:40:03:05:7a:51;00:40:03:05:79:fd;00:40:03:05:78:c9;00:40:03:05:78:f1;00:40:03:05:79:0d;00:40:03:05:79:2d;00:0a:f7:fb:77:58;64:00:6a:7c:65:48;64:00:6a:7c:6d:26;64:00:6a:7c:66:d5;64:00:6a:7c:5f:66;14:18:77:6b:31:01;00:40:03:05:78:cd;64:00:6a:7c:65:b4;00:40:03:05:79:05;64:00:6a:7c:66:f2;00:40:03:05:7a:91;00:40:03:05:7a:69;00:40:03:05:79:75;00:40:03:05:79:25;00:40:03:05:7a:09;00:40:03:05:79:35;64:00:6a:7c:6d:ce;64:00:6a:7c:6b:79;14:18:77:6b:63:81

For example, this sample event can come in with anywhere from 1 to 50 different MAC addresses.

1 UpGoat

This can be accomplished by using the Eval function

with an Evaluate Fields to create a field named cs19 using the Value Expression cs19.split(';')

This will create an array called cs19, and for your example, it contains 33 values.

Send this over to Splunk as per usual, and it should come out as an index-time multi-valued field.

:slightly_smiling_face: to Dritan for this answer!

1 UpGoat