Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract field values from a log record including blanks in the data part?

DrFedtke
Explorer
‎08-13-2015 02:38 AM

hi all,

we have data records like

posLabel=monitoring field posData=51.02 55.56 msg=xxxx

where variables' content include blanks.

my questions:

  • how can I advise splunk to include the entire string (incl. blanks)
    to a variable. in this example, to assign "monitoring field" to variable
    posLabel and "51.02 55.56" to posData?

  • is there any escape character defined to prevent that a "=" character
    in my data becomes interpreted as a new variable namen?
    for example, in case of "posData=x=5,y=9 " the value of posData
    should be "x=5,y=9", and no x and y variables should become created.

thanks for any link or sample code.

best, and thanks to all
Caspar

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 10:41 AM

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 10:41 AM

Like this:

props.conf:

[mySourceType]
TRANSFORMS-mySourceType = mySourceTypeKVPs

transforms.conf:

[mySourceTypeKVPs]
REGEX = ([^\s\=]+)=([^=]*)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = 1
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...