All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Quoted fields that contain "=" sign result in extra fields

drippler
Explorer
‎01-07-2014 12:01 AM

Hi,

I'm using the REST API to POST data with a key="value"\nkey2="value2" format.
Everything works great, except for when a value contains the equals sign, more fields are being extracted. How do I fix it? Can I "escape" the equals sign or change the transforms.conf file?

Example:
name="John"
url="someurl?param=somevalue"

Extracted fields:
name="John"
url="someurl?param=somevalue"
param="somevalue"

How do I lose this extra fields?

Thanks!

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-07-2014 07:26 AM

Why would you not want them? Splunk automatically extracts those by default. If you want to not have them show in the list, use "Fast mode" (look towards the job inspector area of the UI to change between Smart/Fast/Verbose). It isn't a performance hit, and unless you specify index time transformations, won't cause extra storage use. It's part of what makes Splunk, Splunk.

Did you know? Join us on our #splunk channel on IRC! Efnet servers will find us.
Reply

drippler
Explorer
‎01-07-2014 10:41 PM

Thanks!
In fast mode I see none of my "real" fields. Can's I change the settings of the sourcetype to not extract fields from within quoted values?

0 Karma
Reply

emaccaferri
Communicator
‎01-07-2014 07:21 AM

to exctract field, are you using automated key-value exctraction or you wrote a trasformation?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...