Re: Key Value Pairs with Spaces

ezajac · ‎01-22-2013

A developer made a change to the logging that they were managing. They added a new Key Value Pair and the results now have spaces ie Operation=Web Service Call: callABCService. Splunk Search is classifying this as Operation=Web. Is there a quick fix that I can make in Transforms or Props to work around this?

Thank you

n8 · ‎07-16-2013

Is each KV pair on a line by itself? If so you can just do something like the following:

props.conf

REPORT-bad_dev_format = kv-spaces

transforms.conf

[kv-spaces]
DELIMS = "\n","="

Otherwise paste a copy of an event and maybe we can suggest a transforms solution.

michaelbrunetto · ‎02-20-2013

Easiest way is to get the developer to quote their output. So Operation="Web Service Call: callABCService".

I have a similar problem, but with a product I can't change the logging on, so any other advice would be wonderfully helpful.

jonuwz · ‎01-22-2013

Whats the rest of the raw event look like ?

Key Value Pairs with Spaces

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation