Solved: How to override automatic key-value extraction whi...

koshyk · ‎07-27-2018

We have got some data in below format

2018-07-26T01:00:01 empID=12345 empName='Spider Man' department='IT'
2018-07-26T01:00:02 empID=12346 empName='Super Man' department='HR'

When splunk extracts (automatically), the fields contains single quotes '
eg empName='Spider Man'

But customer doesn't need to see the single quotes !!
Any Better way to remove the automatic extraction ,so we can say the value is Spider Man and NOT 'Spider Man'

(I understand, I can write regex to do this. But prefer if we do via props.conf or transforms.conf in simplest way possible)

akocak · ‎07-27-2018

I don't think you need transforms for this task.
you simply need to add following or similar to your props under your sourcetype:(note " ' " in replace)

    [mysourcetype]
    .....
    EVAL-empName = nullif(replace(empName,"'",""),"-")

View solution in original post

patilsonali1729 · ‎07-27-2018

Hello,
Try using below in tensforms.conf.

[mytransform]
REGEX = \s+(\w+)='(.*?)'
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true

Use the correct name in props.conf(mytransform) e.g
[]
REPORT-fieldextr = mytransform

koshyk · ‎07-28-2018

thanks. upvoted, but preferred the above person's option as it is simpler.

akocak · ‎07-27-2018

I don't think you need transforms for this task.
you simply need to add following or similar to your props under your sourcetype:(note " ' " in replace)

    [mysourcetype]
    .....
    EVAL-empName = nullif(replace(empName,"'",""),"-")

koshyk · ‎07-28-2018

thanks mate. Prefer this as it is simple

akocak · ‎07-28-2018

your welcome

How to override automatic key-value extraction which contain single quotes?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!