Iterative fields with spaces in values

michaelbrunetto — Thu, 21 Feb 2013 04:08:25 GMT

I'm having trouble with the way Splunk parses some of my logs which has field=value pairs that have values with unquoted values with spaces. Example:
_raw = some|segmented|text|field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

I've already broken it up so I get the following field:
GENERIC = field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

The problem is Splunks parsing automatically determines this:
field1=value1
field2=value2
field3=a
field4=my
field5=value5
field6=one

should be:
field1=value1
field2=value2
field3=a third value
field4=my forth value
field5=value5
field6=one more with spaces

I've tried using regexes with rex, but the problem is that all of these fields are optional, and I don't necessarily have a complete list of fields yet.
Most recently I've been trying to use sed to put a \n in front of anything with an = sign after it, but that hasn't worked so well.

Good news is, from everything I can tell, the fields don't have spaces in them.
{edited for formatting}

Re: Iterative fields with spaces in values

martin_mueller — Thu, 21 Feb 2013 09:15:31 GMT

You could build a regex that looks for field2= or $ after extracting field1=[^=]+, that way it should walk right up to the next field name but not include it.

topic Re: Iterative fields with spaces in values in Splunk Search

Iterative fields with spaces in values

Re: Iterative fields with spaces in values