https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492576#M137404 <P>You are doing it wrong; use <CODE>multikv</CODE> which uses <CODE>column-alignment</CODE>:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv</A></P> Wed, 18 Mar 2020 15:18:35 GMT woodcock 2020-03-18T15:18:35Z https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492574#M137402 <P>Hello</P> <P>I have a structured data source that puts out data in a table with headers and a footer row with a total.<BR /> I got all the extractions working BUT there is a field called path that may contain spaces:</P> <PRE><CODE>directory DEFAULT /abc/path/fileservers/xxxd19/acb123 Cost Estimate No 10.00G - 9.00G 292.14M directory DEFAULT /abc/path/fileservers/xxxd19/A12 No 120.00G - 113.00G 50.549G </CODE></PRE> <P>The second path works great, extracts properly. The first however truncates "Cost Estimate" because of the space then throws off the rest of the fields. </P> <P>The props look like this:</P> <PRE><CODE>[storage:data] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = SHOULD_LINEMERGE = false disabled = false pulldown_type = true FIELD_DELIMITER = whitespace HEADER_FIELD_LINE_NUMBER = 1 SEDCMD-removeDash = s/---------------------------------------------------------------------------------------------------------//g SEDCMD-removeDash2 = s/^\-.*$//g </CODE></PRE> <P>Any ideas on how to make the field include the portion of the path that includes spaces?<BR /> Thanks in advance for the help!</P> Tue, 17 Mar 2020 14:55:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492574#M137402 tkw03 2020-03-17T14:55:48Z https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492575#M137403 <P>Obviously, <CODE>FIELD_DELIMITER = whitespace</CODE> won't work. Let's try a regex transform.</P> <P>Props.conf:</P> <PRE><CODE>[storage:data] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = SHOULD_LINEMERGE = false disabled = false pulldown_type = true HEADER_FIELD_LINE_NUMBER = 1 SEDCMD-removeDash = s/---------------------------------------------------------------------------------------------------------//g SEDCMD-removeDash2 = s/^\-.*$//g TRANSFORMS-extract = extracter </CODE></PRE> <P>Transforms.conf:</P> <PRE><CODE>[extracter] REGEX = (?&lt;field1&gt;\S+)\s+(?&lt;field2&gt;\S+)\s+(?&lt;path&gt;.+?)\s{2,}(?&lt;field4&gt;\S+)\s+(?&lt;field5&gt;\S+)\s+(?&lt;field6&gt;\S+)\s+(?&lt;field7&gt;\S+)\s+(?&lt;field8&gt;\S+) </CODE></PRE> Tue, 17 Mar 2020 18:30:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492575#M137403 richgalloway 2020-03-17T18:30:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492576#M137404 <P>You are doing it wrong; use <CODE>multikv</CODE> which uses <CODE>column-alignment</CODE>:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv</A></P> Wed, 18 Mar 2020 15:18:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-fix-my-field-extraction/m-p/492576#M137404 woodcock 2020-03-18T15:18:35Z