Re: Using SPATH notation in conf files

danielwysockiar · ‎08-31-2018

Hi guys,
I need to uto extract fields and values during search time using SPATH notation in props.conf and transforms.conf filles.
I know that there are more convinient ways to do that, but I have to do it this way.

I know how to use spath in SPL, but can someone let me know what the syntax in the .conf file should look like?
I cannot not find it in any docs or answers.
Thank in advance.

sudosplunk · ‎08-31-2018

Hi,

Are you looking for this?

danielwysockiar · ‎08-31-2018

Not exactly, I need search-time extraction defined in .conf files, not indexed extractions.
I can not find how to use spath in props.conf.

sudosplunk · ‎08-31-2018

KV_MODE is used for search-time field extractions only. These are the values you can set for KV_MODE,

none: if you want no field/value extraction to take place.
- auto: extracts field/value pairs separated by equal signs.
- auto_escaped: extracts fields/value pairs separated by equal signs and honors \" and \ as escaped sequences within quoted values, e.g field="value with \"nested\" quotes"
- multi: invokes the multikv search command to expand a tabular event into multiple events.
- xml : automatically extracts fields from XML data.
- json: automatically extracts fields from JSON data.

Using SPATH notation in conf files

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation