Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Best Sourcetype for KV pair

splunkLPN
Path Finder
‎05-31-2016 05:41 AM

1- How to define the KV pair and delimitation in the source type ?

the extract has this form (with 15 KV)
k1="v1", k2="v2", ...

2- What extract form do you recommend (JSON ?)

3- is
| extract pairdelim=", " kvdelim="="

as fast as define that in the source type ?

thks for your help 🙂

0 Karma
Reply

sundareshr
Legend
‎05-31-2016 07:21 AM

The difference between using extract during in your search and setting up search time extraction is with search time extraction, the fields are available for using without having to extract them every time. Also allows you to create aliases etc. With the extract command, you will have to repeat the extraction with every search.

To enable to search time extraction, you will need to make the following changes

*Transforms*

    [kv_pair_delim]
    DELIMS = ",", "="

*Props*
[your sourcetype stanza]
REPORT-activity = kv_pair_delim

0 Karma
Reply

woodcock
Esteemed Legend
‎05-31-2016 07:13 AM

You need to provide more detail and better text. What exactly are you trying to do and what do your raw events look like (show a few samples)?

It looks like you are asking 2 questions. If you have raw events in the form listed in 1 above, then you should be able to use the extract that you provided in 3. As far as 2, perhaps you are asking if you should convert the source data into JSON instead of KVP. I would say Yes because KVP is only a little smaller than JSON and JSON will probably be more efficient to digest. If you have the ability to modify the source events, though, I highly recommend going to CSV with a header line, instead.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...