Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transforms not working trying to extract KV pairs from URL

pdominicb
Loves-to-Learn
Wednesday

I have events with URLs, and the URLs contain parameters with KV values in them. Splunk auto extracts the KV pairs, but I want the transforms to apply a prefixed value to the key names from the pairs in the URL. For some reason my transforms refuse to work.

Here are a few sample events:

05-11-2026T14:08:01-05:00 LogLevel=INFO TraceId=69baf81038352c1e63cae59b98259742 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/ZMC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=109 hierarchy=maybe includeInactive=false
05-11-2026T14:07:54-05:00 LogLevel=INFO TraceId=69baf80a0a882f20e6c944e61c5109a2 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/3UC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=106 hierarchy=maybe includeInactive=false

 

 I would like the extracted results from the URL to look like:

QP_hierarchy=false
QP_includeInactive=true
QP_test1=test2
QP_test3=test4

 

Here are my props and transforms:

[app_transaction]
LINE_BREAKER = ([\r\n]+
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = False
TIME_PREFIX = ^
TRANSFORMS-extract = app_transaction_params
TRUNCATE = 99999

[app_transaction_params]
FORMAT = QP_$1::$2
MV_ADD = false
REGEX = (?:\?|&)(\w+)=([^&\s]+)
REPEAT_MATCH = true
SOURCE_KEY = _raw

 

The regex seems to work in regex101.com and extracts the groups correctly. The props is line breaking correctly. Any ideas whats wrong with my transforms here? 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
Friday

Splunk has created some (or actually quite many) parsing tokens for different http URLs. You should just look those from $SPLUNK_HOME/etc/system/default/props+transfoms.conf files. Basically you could utilize those generic tokenizations in your own definitions too. Those are parsing URLs quite well. 

0 Karma
Reply

pdominicb
Loves-to-Learn
8 hours ago

I see "simple_url" and "url" in the transforms.conf spec. But they look like they only extract the url, domain, uri, and a few other things. But they don create extracted KV pairs from a url parameter string.  

Let me know if I'm missing any. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Friday

Adding to @livehybrid 's comment - as a rule of thumb, search time extractions are "better". Unless you have a really border case, it's better to create a search time extraction (and maybe accelerate the search in one of possible ways if you need it) than to create index time extractions.

Anyway, my first guess would be that you might by any chance using indexed extractions.

Secondly, I can never get my head around when you need the WRITE_META setting and when you don't.

But still I'd just go for search time extraction.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Wednesday

Hi @pdominicb 

This configuration would create index-time extractions not search-time, is that intentional? Therefore changes you make will not apply to previously ingested data.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

pdominicb
Loves-to-Learn
Thursday

That is the intention and I'm aware that it would not apply to previously indexed data. However, if you think this would work better (or at all) as a search time extraction I would be ok with that as a solution. It was my impression that this would not work at search time and had to be on indexers. Do you think I should move this to the search heads?

EDIT: I just tried this on a single instance deployment and am still not seeing the field names show up prefixed with "QP_" like QP_hierarchy. So it just seems like there is something wrong in my transforms, or my props isn't actually calling the transforms for some reason. 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
Wednesday

Hi @pdominicb 

1) may i know where did you configure the props and transforms? 
 is it on indexers or search heads or heavy forwarders or UF's?

2) after updating the props and transforms, did you restart the splunk service?


----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of May 2026, my Karma Given is 2312 and my Karma Received is 497, lets revamp the Karma Culture!
Thanks and best regards, Sekar
--------------------------------------------------------------------------------------------

0 Karma
Reply

pdominicb
Loves-to-Learn
Wednesday

Oh sorry, I should have added that context in my post. 

The props and transforms are both on the indexers, and yes Splunk has been restarted. Although I believe when props and transforms are pushed to indexers the deploy will do a reload, correct?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
Wednesday

to understand whether the props and transforms are being applied or not, you can use the btool command

/opt/splunk/bin/splunk btool props list <sourcetype> --debug

/opt/splunk/bin/splunk btool transforms list <transform_name> --debug

0 Karma
Reply

pdominicb
Loves-to-Learn
Wednesday

It says they are, but its not applying the prefix in Splunk.

[splunk@myhost ~]$ /opt/splunk/bin/splunk btool props list app_transaction --debug | grep local
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf [app_transaction]
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf LINE_BREAKER = ([\r\n]+
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf MAX_TIMESTAMP_LOOKAHEAD = 30
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf SHOULD_LINEMERGE = False
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TIME_PREFIX = ^
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TRANSFORMS-extract = app_transaction_params
/opt/splunk/etc/apps/ehi_dev_standard_props/local/props.conf TRUNCATE = 99999

[splunk@myhost ~]$ /opt/splunk/bin/splunk btool transforms list app_transaction_params --debug | grep local
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf [app_transaction_params]
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf FORMAT = QP_$1::$2
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf MV_ADD = false
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf REGEX = (?:\?|&)(\w+)=([^&\s]+)
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf REPEAT_MATCH = true
/opt/splunk/etc/apps/ehi_dev_standard_props/local/transforms.conf SOURCE_KEY = _raw
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...