Extract key=value into field

splunkville · ‎05-16-2025

[cmd_data=list cm device recusive]

splunk auto extracts just [cmd_data=list]

End result - be able to filter on cmd data and get the full cmd / mutiple values.

Will these configs work?

transforms.conf
[full_cmd]
SOURCE_KEY = cmd_data
REGEX = (cmd_data)\S(?<full_cmd>.*)
FORMAT = full_cmd::$1

props.conf
EXTRACT-field full_cmd

livehybrid · ‎05-16-2025

No, this will not work because the source key (cmd_data) contains the shortened version which has been broken up due to the space.

Your transforms.conf and props.conf configs need adjustment. To extract the full value after cmd_data=, use this in transforms.conf:

== props.conf ==
[yourSourceytype]
REPORT-full_cmd = full_cmd

== transforms.conf ==
[full_cmd]
REGEX = cmd_data=([^\]]+)\]
FORMAT = full_cmd::$1

The REGEX captures everything after cmd_data= up to the "]".
REPORT- in props.conf applies the transform at search time.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing

Are you a member of the Splunk Community?