All Apps and Add-ons

Which character(s) are not considered delimiters in field values?

marnee
Explorer

I have a field with multiple values that would normally be delimited by a comma:

Field=value1,value2,value3

In Splunk, the Field value will just show "value1".

I want to alter the log message itself to use a delimiter other than comma such that Splunk sees the entire value by default. What characters would work? (I'm sure this is probably documented somewhere, but I could not find it.)

(Note: I see a lot of answers on how to get all values delimited by comma by writing custom field extraction or custom queries in Splunk. However, I don't want to add special processing in Splunk in this case, since we have dozens of people in this case who will just look at "Field" and likely will be perplexed that it doesn't contain all values. Therefore, I want to alter the log message itself and allow Splunk to grab the entire value by default.)

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Just about any separator you choose would be considered a delimiter by Splunk. The best way to alter the log message is to put quotation marks (") around the value as in Field="value1,value2,value3".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodcock
Esteemed Legend

Take a nap and an aspirin and then google splunk segmenters.conf.

0 Karma

marnee
Explorer

The snark was not necessary, and the "tip" was unhelpful.

woodcock
Esteemed Legend

I am sorry that I was ambiguous and in my unclarity, you took it the opposite way that I intended (I can see how this could be easily mis-interpreted); please do forgive me after I explain. What I meant was that you asked what appeared to you to be a very simple question, but it turns out that it is grotesquely complicated, so much so, that it will hurt your brain (asprin) and wear you out (nap). Thank you for your followup comment which allowed me to see my blunder and give me the opportunity to clarify!
Here is what I meant:
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf
https://docs.splunk.com/Documentation/Splunk/latest/Data/Setthesegmentationforeventdata
https://docs.splunk.com/Documentation/Splunk/latest/Data/Abouteventsegmentation
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Segmentersconf

marnee
Explorer

LOL, no problem, that makes more sense.

Thanks much for the clarification and the links.

richgalloway
SplunkTrust
SplunkTrust

Just about any separator you choose would be considered a delimiter by Splunk. The best way to alter the log message is to put quotation marks (") around the value as in Field="value1,value2,value3".

---
If this reply helps you, Karma would be appreciated.

marnee
Explorer

Thanks. That is exactly what I needed.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...