Splunk Search

Can you tell Auto KV to honor values within single quotes instead of double quotes?

Lowell
Super Champion

I feel like I should know the answer to this, but just in case I missed something....

Splunk automatically handles field extractions for events like this very well:

Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]:  successful login.  user="joe" ip="10.0.0.99"

This works, but it results in all field values wrapped in literal single quotes:

Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]:  successful login.  user='joe' ip='10.0.0.99'

So user is now 'joe' and ip is now '10.0.0.99' (Because the single quotes become part of the field's value.)

Is there a way to make this work more efficiently with Splunk's automatic KV mode ( KV_MODE=auto ) so that single quotes are treated as double quotes are traditionally handled?

I realize this can be done with a REGEX, but I was hoping for a better solution.

0 Karma

woodcock
Esteemed Legend

You can create your own KV_MODE extractions like this:

props.conf:

REPORT-kvmode = single_quote_kvps

transforms.conf:

[single_quote_kvps]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^=\s]+)='([^']+)'
SOURCE_KEY = _raw
0 Karma

Lowell
Super Champion

I was hoping that Splunk would have added support for this without requiring a REGEX, but I'm doubtful any such solution exists. My understanding is that dynamic key regex have some negative performance implications. ( $1::$2 )

0 Karma

woodcock
Esteemed Legend

How do you think the built-in works? Productivity should usually trump performance, although the latter should never be ignored.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!