topic Re: How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')? in Splunk Search

How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

ccollord — Mon, 23 Mar 2015 20:28:17 GMT

Hi,
To make a long story short i have some logs that are key value pairs, like so:

foo="bar" dog="cat" frog="bat"
Unfortunately my Windows logging daemon converts to this:

[hostname] data="foo='bar' dog='cat' frog='bat'"

Splunk is actually handling the extractions just fine, except that each value pair is:
'bar', 'cat', 'bat'
(They have the included single-tick in the value.) Is there an easy way to fix this? From Splunk documentation and a blog post from 2008 i've gathered that the quotation marks around the values are called "quoters" and they are not configurable to be different characters like an apostrophe[1]. What else can i do?

[1] http://blogs.splunk.com/2008/02/12/delimiter-based-key-value-pair-extraction/

Re: How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

somesoni2 — Mon, 23 Mar 2015 20:53:35 GMT

Option 1: use SEDCMD in props.conf on Indexer to format your logs (your can update [hostname] data="foo='bar' dog='cat'" to [hostname] foo="bar" dog="cat" frog="bat")
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Anonymizedatausingconfigurationfiles

Option 2: use search time field extraction to cleanup the values. This can be done per field (field extraction) OR for all fields (field transformation)
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles

Re: How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

ccollord — Mon, 23 Mar 2015 21:09:21 GMT

The SEDCMD looks like it'll work just great for what i need. Thanks!