Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Transforms not working trying to extract KV pairs ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transforms not working trying to extract KV pairs from URL
I have events with URLs, and the URLs contain parameters with KV values in them. Splunk auto extracts the KV pairs, but I want the transforms to apply a prefixed value to the key names from the pairs in the URL. For some reason my transforms refuse to work.
Here are a few sample events:
05-11-2026T14:08:01-05:00 LogLevel=INFO TraceId=69baf81038352c1e63cae59b98259742 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/ZMC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=109 hierarchy=maybe includeInactive=false
05-11-2026T14:07:54-05:00 LogLevel=INFO TraceId=69baf80a0a882f20e6c944e61c5109a2 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/3UC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=106 hierarchy=maybe includeInactive=false
I would like the extracted results from the URL to look like:
QP_hierarchy=false
QP_includeInactive=true
QP_test1=test2
QP_test3=test4
Here are my props and transforms:
[app_transaction]
LINE_BREAKER = ([\r\n]+
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = False
TIME_PREFIX = ^
TRANSFORMS-extract = app_transaction_params
TRUNCATE = 99999
[app_transaction_params]
FORMAT = QP_$1::$2
MV_ADD = false
REGEX = (?:\?|&)(\w+)=([^&\s]+)
REPEAT_MATCH = true
SOURCE_KEY = _raw
The regex seems to work in regex101.com and extracts the groups correctly. The props is line breaking correctly. Any ideas whats wrong with my transforms here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pdominicb
1) may i know where did you configure the props and transforms?
is it on indexers or search heads or heavy forwarders or UF's?
2) after updating the props and transforms, did you restart the splunk service?
----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation
PS - As of May 2026, my Karma Given is 2312 and my Karma Received is 497, lets revamp the Karma Culture!
Thanks and best regards, Sekar
--------------------------------------------------------------------------------------------
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh sorry, I should have added that context in my post.
The props and transforms are both on the indexers, and yes Splunk has been restarted. Although I believe when props and transforms are pushed to indexers the deploy will do a reload, correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to understand whether the props and transforms are being applied or not, you can use the btool command
/opt/splunk/bin/splunk btool props list <sourcetype> --debug
/opt/splunk/bin/splunk btool transforms list <transform_name> --debug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It says they are, but its not applying the prefix in Splunk.
[splunk@myhost ~]$ /opt/splunk/bin/splunk btool props list app_transaction --debug | grep local
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf [app_transaction]
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf LINE_BREAKER = ([\r\n]+
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 30
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf SHOULD_LINEMERGE = False
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TIME_PREFIX = ^
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TRANSFORMS-extract = app_transaction_params
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TRUNCATE = 99999
[splunk@myhost ~]$ /opt/splunk/bin/splunk btool transforms list app_transaction_params --debug | grep local
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf [app_transaction_params]
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf FORMAT = QP_$1::$2
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf MV_ADD = false
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf REGEX = (?:\?|&)(\w+)=([^&\s]+)
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf REPEAT_MATCH = true
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf SOURCE_KEY = _raw
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
