- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How are underscores in logs treated by Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are underscores in logs treated by Splunk?
All,
Can you explain how the underscore is treated by Splunk? I see they are dropped at search times.
I am seeing a log that has:
_message="some words"
But it's extracted automatically as:
message=""
Would there be any value in me fixing _message to message at index-time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's done by transforms during search time field extraction. You can disable it by setting below property in transforms.conf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
You shoud be careful with that though or disable it only for certain sourcetypes. See here for more info
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@daniel333 , please mark as answer if it's resolved your issue so that the thread will be closed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So based on what I think you're saying here. Is that there might be value in saving some field extraction at search time if I can correct this at ingestion time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am looking at about 20 million events an hour with this _. I am thoerizing that it will save some time on field extraction by using a props.conf SEDCMD on our heavy forwarders.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
