topic how to fetch the key values from double pipe separator in Splunk Search https://community.splunk.com/t5/Splunk-Search/how-to-fetch-the-key-values-from-double-pipe-separator/m-p/516947#M145319 <P>Hi Team,</P><P>I am having a logging with double pipe separator (||)&nbsp; and need to get the key values from logs.&nbsp;</P><P>Log pattern:-</P><P>logs ........|ab-c=1234<STRONG>||</STRONG>xy-z=1598<STRONG>||</STRONG>cd-e=5ab4<STRONG>||....</STRONG>more logs</P><P>Need to fetch table to with values of (ab-c,xy-z,cd-e).&nbsp;</P><P>Till now i tried&nbsp;</P><P>search | dedup ab-c, cd-e,xy-z | table ab-c, xy-z, cd-e&nbsp;&nbsp;</P><P>but its not working. Please suggest</P><P>&nbsp;</P> Mon, 31 Aug 2020 02:17:09 GMT iamlucky92 2020-08-31T02:17:09Z how to fetch the key values from double pipe separator https://community.splunk.com/t5/Splunk-Search/how-to-fetch-the-key-values-from-double-pipe-separator/m-p/516947#M145319 <P>Hi Team,</P><P>I am having a logging with double pipe separator (||)&nbsp; and need to get the key values from logs.&nbsp;</P><P>Log pattern:-</P><P>logs ........|ab-c=1234<STRONG>||</STRONG>xy-z=1598<STRONG>||</STRONG>cd-e=5ab4<STRONG>||....</STRONG>more logs</P><P>Need to fetch table to with values of (ab-c,xy-z,cd-e).&nbsp;</P><P>Till now i tried&nbsp;</P><P>search | dedup ab-c, cd-e,xy-z | table ab-c, xy-z, cd-e&nbsp;&nbsp;</P><P>but its not working. Please suggest</P><P>&nbsp;</P> Mon, 31 Aug 2020 02:17:09 GMT https://community.splunk.com/t5/Splunk-Search/how-to-fetch-the-key-values-from-double-pipe-separator/m-p/516947#M145319 iamlucky92 2020-08-31T02:17:09Z Re: how to fetch the key values from double pipe separator https://community.splunk.com/t5/Splunk-Search/how-to-fetch-the-key-values-from-double-pipe-separator/m-p/516967#M145336 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161005">@iamlucky92</a>&nbsp;,<BR /><BR />I added a file with your sample line in it to my lab.<BR />The fields and values were extracted automatically, without any regex or conf file manipulation.<BR /><BR />The&nbsp;<A href="https://docs.splunk.com/Splexicon:Automatickeyvaluefieldextraction" target="_self">automatic key value field extraction</A>&nbsp;worked just fine.<BR /><BR />How is this data coming in on your side?&nbsp; &nbsp;Could you share the props.conf that deals with it?<BR />Also an example of the whole event would be helpfull.&nbsp;<BR /><BR />BR<BR />Ralph</P> Mon, 31 Aug 2020 08:03:18 GMT https://community.splunk.com/t5/Splunk-Search/how-to-fetch-the-key-values-from-double-pipe-separator/m-p/516967#M145336 rnowitzki 2020-08-31T08:03:18Z