<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Best Sourcetype  for KV pair in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276221#M52969</link>
    <description>&lt;P&gt;1- How to define the KV pair and delimitation in the source type ?&lt;/P&gt;

&lt;P&gt;the extract has this form (with 15 KV)&lt;BR /&gt;
k1="v1", k2="v2", ...&lt;/P&gt;

&lt;P&gt;2- What extract form do you recommend (JSON ?) &lt;/P&gt;

&lt;P&gt;3- is&lt;BR /&gt;
| extract pairdelim=", " kvdelim="="&lt;/P&gt;

&lt;P&gt;as fast as define that in the source type ?&lt;/P&gt;

&lt;P&gt;thks for your help &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Tue, 31 May 2016 12:41:04 GMT</pubDate>
    <dc:creator>splunkLPN</dc:creator>
    <dc:date>2016-05-31T12:41:04Z</dc:date>
    <item>
      <title>Best Sourcetype  for KV pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276221#M52969</link>
      <description>&lt;P&gt;1- How to define the KV pair and delimitation in the source type ?&lt;/P&gt;

&lt;P&gt;the extract has this form (with 15 KV)&lt;BR /&gt;
k1="v1", k2="v2", ...&lt;/P&gt;

&lt;P&gt;2- What extract form do you recommend (JSON ?) &lt;/P&gt;

&lt;P&gt;3- is&lt;BR /&gt;
| extract pairdelim=", " kvdelim="="&lt;/P&gt;

&lt;P&gt;as fast as define that in the source type ?&lt;/P&gt;

&lt;P&gt;thks for your help &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 31 May 2016 12:41:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276221#M52969</guid>
      <dc:creator>splunkLPN</dc:creator>
      <dc:date>2016-05-31T12:41:04Z</dc:date>
    </item>
    <item>
      <title>Re: Best Sourcetype  for KV pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276222#M52970</link>
      <description>&lt;P&gt;You need to provide more detail and better text.  What exactly are you trying to do and what do your raw events look like (show a few samples)?&lt;/P&gt;

&lt;P&gt;It looks like you are asking 2 questions.  If you have raw events in the form listed in &lt;CODE&gt;1&lt;/CODE&gt; above, then you should be able to use the extract that you provided in &lt;CODE&gt;3&lt;/CODE&gt;.  As far as &lt;CODE&gt;2&lt;/CODE&gt;, perhaps you are asking if you should convert the source data into &lt;CODE&gt;JSON&lt;/CODE&gt; instead of &lt;CODE&gt;KVP&lt;/CODE&gt;.  I would say &lt;CODE&gt;Yes&lt;/CODE&gt; because &lt;CODE&gt;KVP&lt;/CODE&gt; is only a little smaller than &lt;CODE&gt;JSON&lt;/CODE&gt; and &lt;CODE&gt;JSON&lt;/CODE&gt; will probably be more efficient to digest.  If you have the ability to modify the source events, though, I highly recommend going to &lt;CODE&gt;CSV&lt;/CODE&gt; with a header line, instead.&lt;/P&gt;</description>
      <pubDate>Tue, 31 May 2016 14:13:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276222#M52970</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2016-05-31T14:13:19Z</dc:date>
    </item>
    <item>
      <title>Re: Best Sourcetype  for KV pair</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276223#M52971</link>
      <description>&lt;P&gt;The difference between using extract during in your search and setting up search time extraction is with search time extraction, the fields are available for using without having to extract them every time. Also allows you to create aliases etc. With the &lt;CODE&gt;extract&lt;/CODE&gt; command, you will have to repeat the extraction with every search.&lt;/P&gt;

&lt;P&gt;To enable to search time extraction, you will need to make the following changes&lt;/P&gt;

&lt;P&gt;*&lt;STRONG&gt;&lt;EM&gt;Transforms&lt;/EM&gt;&lt;/STRONG&gt;*&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;    [kv_pair_delim]
    DELIMS = ",", "="
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;*&lt;STRONG&gt;&lt;EM&gt;Props&lt;/EM&gt;&lt;/STRONG&gt;*&lt;BR /&gt;
    [your sourcetype stanza]&lt;BR /&gt;
    REPORT-activity = kv_pair_delim&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 09:49:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Best-Sourcetype-for-KV-pair/m-p/276223#M52971</guid>
      <dc:creator>sundareshr</dc:creator>
      <dc:date>2020-09-29T09:49:55Z</dc:date>
    </item>
  </channel>
</rss>

