Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field discovery with multi-value containing space

swapsapar
New Member
‎09-02-2011 02:50 PM

Hi,
I'm trying to understand how the Field Discovery part works by default while dealing with a multi-value string containing spaces.
e.g I have like 50 fields similar to following which takes the format key1=value1 with a few exceptions where there are more than one value to the key; key2=value3 value4. Note the "space" between the two values here.

category=auto model=new color=red blue green type=sports

I have a choice of updating my message signature.

Q. I would like to know what is the best way to escape the space between red blue red?
Q. Putting the whole value side in the couble-quotes (") like following would solve this problem?
category=auto model=new color="red blue green" type=sports
Q. Any other alternative?

Tags (1)
0 Karma
Reply

bbingham
Builder
‎09-03-2011 02:52 AM

Putting the value inside quotes will make splunk take "red blue green" as one value for "color", not a multivalue field. You could take this approach and then use:

|makemv delim=" " color

And splunk will make it a multivalue field.

If you'd like splunk to treat the these items as a multivalued field without using the search language, you'll need to setup fields.conf for the regex that defines the different values. Take a look at this portion of the documentation: Multivalue Vields

the example fields.conf file has a great example doing something similar with the email "to" field.

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...