Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent Splunk from creating a new field and value in an event given that a field contains the symbol "equal"?

jordilazo
Explorer
‎09-28-2022 12:49 PM

Hi,

I have been able to enter the following data in splunk through key value with the following format:

 

 

 

 

 

sourcetype="excel_page_10" mail_sender="jordi@jordilazo.com" mail_recipient="lazo@jordilazo.es" mail_date_ep="1635qqqqwe2160816.0" mail_nummails="1222asdasd.adasdqweqw" mail_level="0@qw....." mail_info="NO" mail_removal="NO" mail_area="Miami" mail_subject="RE: NMXWZFOG< >VSTI" mail_id="XXX-KKKK-NNNN-KNZI" mail_reviewcomment="Comentario:ÑC<AZR=@P""\a"

 

 

 

 

 

 As can be seen in the image, splunk has been able to correctly classify all the fields and value. However it has created a new field called AZR with the value @P. This is because it has detected an = inside the comment review value and created it.

What do I have to modify in the props and transform so that it detects the entire reviewcomment field as 1 single value and includes the symbol =?

Labels (1)
Labels
Preview file
42 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chaker
Contributor
‎09-29-2022 07:14 AM

Try changing the sourcetype reference from this:

 

[test]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"

 

To this:

 

[preproc]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"

 

 

If you still can't get it working, I suggest using the field extractor tool. You can paste the regex straight in there. Below is the result I get.

chaker_0-1664460833934.png

https://docs.splunk.com/Documentation/Splunk/9.0.1/Knowledge/ExtractfieldsinteractivelywithIFX

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎09-29-2022 02:05 AM

 Hi @jordilazo 

This props.conf contains index time and search time instructions (the extraction is search time)

You could put this props.conf file on your searchhead, or create a new one with just the extract entry provided.

 

0 Karma
Reply
Solved! Jump to solution

jordilazo
Explorer
‎09-29-2022 06:13 AM

Hi Chaker,

Unfortunately I have tried everything but Splunk keeps automatically creating a new field for the mail_reviewcomment field.
Maybe the problem is in the input.conf?
I run the script automatically.

Here I leave my configuration:

HF:

 

 

inputs.conf

[script://script.py]
disabled = 0
index = jordi_emails
interval = 55 14 * * *
source = external
sourcetype = preproc
props.conf

[preproc]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TIME_PREFIX = timestamp=
MAX_TIMESTAMP_LOOKAHEAD = 10
CHARSET = UTF-8
KV_MODE = auto
TRANSFORMS-dynamic_sourcetype = dynamic_sourcetype

[test]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"
transform.conf

[dynamic_sourcetype]
REGEX = sourcetype="(\w+)"
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype

 

 

 

SH:

Looks exactly the same like the props.conf in my HF (as you said).

0 Karma
Reply
Solved! Jump to solution
Solution

chaker
Contributor
‎09-29-2022 07:14 AM

Try changing the sourcetype reference from this:

 

[test]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"

 

To this:

 

[preproc]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"

 

 

If you still can't get it working, I suggest using the field extractor tool. You can paste the regex straight in there. Below is the result I get.

chaker_0-1664460833934.png

https://docs.splunk.com/Documentation/Splunk/9.0.1/Knowledge/ExtractfieldsinteractivelywithIFX

 

0 Karma
Reply
Solved! Jump to solution

jordilazo
Explorer
‎10-03-2022 12:23 AM

This solution works but it wasn't exactly what I wanted.

In this post this person asked the same and its looks like there is no solution.
How to escape equal signs (=) in key value data? - Splunk Community

0 Karma
Reply
Solved! Jump to solution

jordilazo
Explorer
‎09-29-2022 08:42 AM

Hi Chaker,

I think it is working but the problem is that I have another event that contains double quotes" inside the value.

Here is an example: 

mail_reviewcomment="Comentario:ÑC<2KLAZR=@Q"&"\A"

So splunk is getting confused again.

How can I modify the REGEX so splunk will process the field?

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎09-29-2022 05:26 PM

Hi @jordilazo 

As long as mail_reviewcomment is the last field in all the events, the following regex will work.

EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)$

If the schema changes, and this field is no longer the last field in the event, this regex will not work, and will require some changes.

0 Karma
Reply
Solved! Jump to solution

chaker
Contributor
‎09-28-2022 05:53 PM

props.conf
[INSERT_SOURCETYPE_HERE]
EXTRACT-mail_reviewcomment = mail_reviewcomment="(?<mail_reviewcomment>.+?)"

No need to modify transforms.conf in this case.

0 Karma
Reply
Solved! Jump to solution

jordilazo
Explorer
‎09-29-2022 01:45 AM

Hi Chaker,

 

My props looks like:

[preproc]
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
TIME_PREFIX = timestamp=
MAX_TIMESTAMP_LOOKAHEAD = 10
CHARSET = UTF-8
KV_MODE = auto
TRANSFORMS-dynamic_sourcetype = dynamic_sourcetype
EXTRACT-test = mail_reviewcomment="(?<mail_reviewcomment>.+?)"
 
But is still not working. Any idea? should I introduce the events like CSV?
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...