Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parsing dynamic fields when indexing from script?

jm8thew
Engager
‎11-08-2012 01:25 PM

I'm new to splunk and I'm trying to import some data from a database that I'd like to have indexed by Splunk. I have a script that returns the info from the database in column name = value pairs. However, some of the column names and values have spaces in them, which seem to mess with Splunk's ability to extract field names. Putting quotes around the column name and value didn't work. Replacing spaces with underscores works, but that is not an ideal solution.

Using the MySQL Connector app I'm able to view the database as it is, but I can't maintain historical data.

So how does Splunk decide what is a field and what isn't beyond simple field=value pairs?

Can I do something so that it will accept spaces in the field names from the script data?

Can I change the way my script outputs data (currently columnname=value for every row) so that it captures the column name and values properly?

Is there a way to use the MySQL Connector app for monitoring changes in my database?

Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-09-2012 06:54 AM

Splunk field names cannot contain spaces, like most identifier types you'll find. For example, the following extraction will fail,

  • | rex "foo:'(?<foo field>[^']+)'"

while replacing the space with an underscore will work:

  • | rex "foo:'(?<foo_field>[^']+)'"

Personally, I would consider replacing the spaces with underscores in the script's output to be reasonably good practice.

However, you can write your own field extractions that go beyond Splunk's default key=value behaviour. For example you can use the interactive field extractor available from the event options menu. You still will not be able to get spaces in field names though, you will need to come up with a different name for the field. At that point you might be better off going the underscore way.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...