Splunk Search

Field discovery with multi-value containing space

swapsapar
New Member

Hi,
I'm trying to understand how the Field Discovery part works by default while dealing with a multi-value string containing spaces.
e.g I have like 50 fields similar to following which takes the format key1=value1 with a few exceptions where there are more than one value to the key; key2=value3 value4. Note the "space" between the two values here.

category=auto model=new color=red blue green type=sports

I have a choice of updating my message signature.

Q. I would like to know what is the best way to escape the space between red blue red?
Q. Putting the whole value side in the couble-quotes (") like following would solve this problem?
category=auto model=new color="red blue green" type=sports
Q. Any other alternative?

Tags (1)
0 Karma

bbingham
Builder

Putting the value inside quotes will make splunk take "red blue green" as one value for "color", not a multivalue field. You could take this approach and then use:

|makemv delim=" " color

And splunk will make it a multivalue field.

If you'd like splunk to treat the these items as a multivalued field without using the search language, you'll need to setup fields.conf for the regex that defines the different values. Take a look at this portion of the documentation: Multivalue Vields

the example fields.conf file has a great example doing something similar with the email "to" field.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...