All Apps and Add-ons

Quoted fields that contain "=" sign result in extra fields

drippler
Explorer

Hi,

I'm using the REST API to POST data with a key="value"\nkey2="value2" format.
Everything works great, except for when a value contains the equals sign, more fields are being extracted. How do I fix it? Can I "escape" the equals sign or change the transforms.conf file?

Example:
name="John"
url="someurl?param=somevalue"

Extracted fields:
name="John"
url="someurl?param=somevalue"
param="somevalue"

How do I lose this extra fields?

Thanks!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Why would you not want them? Splunk automatically extracts those by default. If you want to not have them show in the list, use "Fast mode" (look towards the job inspector area of the UI to change between Smart/Fast/Verbose). It isn't a performance hit, and unless you specify index time transformations, won't cause extra storage use. It's part of what makes Splunk, Splunk.

Did you know? Join us on our #splunk channel on IRC! Efnet servers will find us.

drippler
Explorer

Thanks!
In fast mode I see none of my "real" fields. Can's I change the settings of the sourcetype to not extract fields from within quoted values?

0 Karma

emaccaferri
Communicator

to exctract field, are you using automated key-value exctraction or you wrote a trasformation?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...