https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263634#M79123 <P>Try specifying space-character as a pair delimiter as well.</P> <PRE><CODE>index=* sourcetype=orange | extract pairdelim="; " kvdelim=":" </CODE></PRE> <P>For me that gave the correct and expected result. </P> <PRE><CODE>user:hgfh std:6 status:success </CODE></PRE> <P>I suspect that since the kv extract is "mid-sentence" it tries to outrule anything that does not fit exactly with the specified pair delimiter. Thus resulting in the return of only two kv-pairs unless you specify space and semicolon as pair delimiters.</P> <P>Cheers,</P> Mon, 18 Jul 2016 14:10:50 GMT tormodbp 2016-07-18T14:10:50Z https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263633#M79122 <P>Hi,</P> <P>This is sample event. I tried to explore extract command.</P> <P>index=* sourcetype=orange | extract pairdelim=";", kvdelim=":"</P> <P>4/18/161:00:00.000 PM 2016-04-18 13:00:00 user:hgfh;std:6;status:success</P> <P>For the above event its only extracted std as 6 and status as success but not the user. Why is that like. So is it expecting ";" before and after?</P> <P>And cant we use kvdelim alone in our queries?<BR /> index=* sourcetype=orange | extract kvdelim=":"</P> <P>Thanks</P> Mon, 18 Jul 2016 10:45:43 GMT https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263633#M79122 splunkn 2016-07-18T10:45:43Z https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263634#M79123 <P>Try specifying space-character as a pair delimiter as well.</P> <PRE><CODE>index=* sourcetype=orange | extract pairdelim="; " kvdelim=":" </CODE></PRE> <P>For me that gave the correct and expected result. </P> <PRE><CODE>user:hgfh std:6 status:success </CODE></PRE> <P>I suspect that since the kv extract is "mid-sentence" it tries to outrule anything that does not fit exactly with the specified pair delimiter. Thus resulting in the return of only two kv-pairs unless you specify space and semicolon as pair delimiters.</P> <P>Cheers,</P> Mon, 18 Jul 2016 14:10:50 GMT https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263634#M79123 tormodbp 2016-07-18T14:10:50Z https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263635#M79124 <P>Thanks tomodbp. Its worked !! aren't we able to use kvdelim alone?</P> Tue, 19 Jul 2016 06:34:26 GMT https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263635#M79124 splunkn 2016-07-19T06:34:26Z https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263636#M79125 <P>No problem!<BR /> I would think that you should be able to, but I am unable to find any documentation to support that claim. I've tried to experiment with the parameters. So far I have not found any other solution using ´kv´ / ´extract´, sorry.</P> Tue, 19 Jul 2016 07:04:00 GMT https://community.splunk.com/t5/Splunk-Search/extract-command/m-p/263636#M79125 tormodbp 2016-07-19T07:04:00Z