topic NOT extracting key pair values found in a URL in Getting Data In https://community.splunk.com/t5/Getting-Data-In/NOT-extracting-key-pair-values-found-in-a-URL/m-p/314872#M58952 <P>Hi Splunkers.</P> <P>Is there a way to prevent the extraction of KPV in a specific field/fields?</P> <P>To explain further, a set of firewall logs contains a number of key=value pairs.<BR /> These are being extracted automatically by Splunk.</P> <P>There is also (depending on the site) what appears to be key-values within the URL field.<BR /> These aren't values I am interested in extracting as they are simply part of the page served from the remote web server.</P> <P>Is there any way to NOT extract these (perceived) key-values on a per field basis (for URL and other fields) as once extracted, some end up with field names matching CIM field names.</P> <P>The only setting relating to this seems to be for disabling key-values extraction for an entire sourcetype, not individual fields.</P> <P>Thanks.</P> Wed, 28 Feb 2018 06:29:01 GMT torowa 2018-02-28T06:29:01Z NOT extracting key pair values found in a URL https://community.splunk.com/t5/Getting-Data-In/NOT-extracting-key-pair-values-found-in-a-URL/m-p/314872#M58952 <P>Hi Splunkers.</P> <P>Is there a way to prevent the extraction of KPV in a specific field/fields?</P> <P>To explain further, a set of firewall logs contains a number of key=value pairs.<BR /> These are being extracted automatically by Splunk.</P> <P>There is also (depending on the site) what appears to be key-values within the URL field.<BR /> These aren't values I am interested in extracting as they are simply part of the page served from the remote web server.</P> <P>Is there any way to NOT extract these (perceived) key-values on a per field basis (for URL and other fields) as once extracted, some end up with field names matching CIM field names.</P> <P>The only setting relating to this seems to be for disabling key-values extraction for an entire sourcetype, not individual fields.</P> <P>Thanks.</P> Wed, 28 Feb 2018 06:29:01 GMT https://community.splunk.com/t5/Getting-Data-In/NOT-extracting-key-pair-values-found-in-a-URL/m-p/314872#M58952 torowa 2018-02-28T06:29:01Z Re: NOT extracting key pair values found in a URL https://community.splunk.com/t5/Getting-Data-In/NOT-extracting-key-pair-values-found-in-a-URL/m-p/314873#M58953 <P>I think you would indeed need to disable auto KV (so set KV_MODE=none) and define a suitable field extraction explicitly for that sourcetype.</P> <P>Since you're mentioning firewall logs, isn't there a TA available that takes care of such things for you? I would expect that most firewall brands have a TA on splunkbase?</P> Wed, 28 Feb 2018 13:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/NOT-extracting-key-pair-values-found-in-a-URL/m-p/314873#M58953 FrankVl 2018-02-28T13:45:54Z