Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

set delimiter

newbiesplunk
Path Finder
‎09-26-2014 10:24 PM

Hi,
The key-pair values delimiter is ":" instead of "=", how to configure such that the colon ":" is also a delimiter? thks
I configured below:

props.conf
[test]
TRANSFORMS-delim=AddDelimiter

transforms.conf
[AddDelimiter]
DELIMS=":"

But it does not works.

Tags (1)
Reply

lguinn2
Legend
‎09-27-2014 01:17 PM

I think this will work

props.conf

[yoursourcetypehere]
KV_MODE = none
REPORT-extract1 = special-field-extraction

transforms.conf

[special-field-extraction]
DELIMS = " ", ":"
MV_ADD = true

I believe that you need two values for the DELIMS attribute - the first is the list of characters that can separate fields, so I set it to a space. The second value identifies the separator between the field name and its value, so I set it to ":".
Setting KV_MODE to none in props.conf disables the default field extraction, which is based on "=". MV_ADD allows multi-value fields, but you can remove this line if it doesn't apply.

Reply

somesoni2
Revered Legend
‎09-27-2014 12:32 AM

Try adding this to props.conf

[test]
SEDCMD-replacecolon = s/:/=/g
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-27-2014 06:51 AM

Hmm, since that would mean that _raw is rewritten, it could mess up timestamps, which regularly use colons.
/k

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...