https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438566#M124828 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/108994">@krisreeves</a>,</P> <P>Automatic key-value field extraction is a search-time field extraction configuration that uses the KV_MODE attribute to automatically extract fields for events associated with a specific host, source, or source type. Configure automatic key-value field extractions by finding or creating the appropriate stanza in props.conf. You can find props.conf in $SPLUNK_HOME/etc/system/local/ or your own custom app directory in $SPLUNK_HOME/etc/apps/.</P> <P>so set KV_MODE=none in props.conf to avoid auto kv extractions and write a custom parser for your events either index/search time.</P> Tue, 29 Sep 2020 20:26:58 GMT thambisetty 2020-09-29T20:26:58Z https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438565#M124827 <P>We've noticed that key=value pairs inside a quoted value get extracted too. For example, with an event like <CODE>foo="bar=baz"</CODE>, the field <CODE>foo</CODE> will be extracted with the value <CODE>bar=baz</CODE>, but also the field <CODE>bar</CODE> will be extracted with the value <CODE>baz</CODE>. Is there a way to disable this behavior? (Splunk Enterprise 6.5.4)</P> <P>This sometimes creates a problem when logging things like URLs that have query strings; if a query string contains a key that has the same name as another field in the event, the extraction of that query string value will override the value of the field we want (possibly later in the line)</P> Sat, 14 Jul 2018 17:44:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438565#M124827 krisreeves 2018-07-14T17:44:38Z https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438566#M124828 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/108994">@krisreeves</a>,</P> <P>Automatic key-value field extraction is a search-time field extraction configuration that uses the KV_MODE attribute to automatically extract fields for events associated with a specific host, source, or source type. Configure automatic key-value field extractions by finding or creating the appropriate stanza in props.conf. You can find props.conf in $SPLUNK_HOME/etc/system/local/ or your own custom app directory in $SPLUNK_HOME/etc/apps/.</P> <P>so set KV_MODE=none in props.conf to avoid auto kv extractions and write a custom parser for your events either index/search time.</P> Tue, 29 Sep 2020 20:26:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438566#M124828 thambisetty 2020-09-29T20:26:58Z https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438567#M124829 <P>You should set <CODE>KV_MODE = none</CODE> to turn off this capability and then create your own unanchored RegEx as a <CODE>REPORT-</CODE> search-time extraction to do the same thing, but in a way that <EM>you</EM> control.</P> Sun, 15 Jul 2018 13:29:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438567#M124829 woodcock 2018-07-15T13:29:23Z https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438568#M124830 <P>This is pretty unfortunate, but I haven't found a better solution <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Thu, 19 Jul 2018 19:44:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-avoid-extracting-fields-from-quoted-values/m-p/438568#M124830 krisreeves 2018-07-19T19:44:08Z