Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field discovery with multi-value containing space

swapsapar
New Member
‎09-02-2011 02:50 PM

Hi,
I'm trying to understand how the Field Discovery part works by default while dealing with a multi-value string containing spaces.
e.g I have like 50 fields similar to following which takes the format key1=value1 with a few exceptions where there are more than one value to the key; key2=value3 value4. Note the "space" between the two values here.

category=auto model=new color=red blue green type=sports

I have a choice of updating my message signature.

Q. I would like to know what is the best way to escape the space between red blue red?
Q. Putting the whole value side in the couble-quotes (") like following would solve this problem?
category=auto model=new color="red blue green" type=sports
Q. Any other alternative?

Tags (1)
0 Karma
Reply

bbingham
Builder
‎09-03-2011 02:52 AM

Putting the value inside quotes will make splunk take "red blue green" as one value for "color", not a multivalue field. You could take this approach and then use:

|makemv delim=" " color

And splunk will make it a multivalue field.

If you'd like splunk to treat the these items as a multivalued field without using the search language, you'll need to setup fields.conf for the regex that defines the different values. Take a look at this portion of the documentation: Multivalue Vields

the example fields.conf file has a great example doing something similar with the email "to" field.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...