Splunk Search

How are underscores in logs treated by Splunk?

daniel333
Builder

All,

Can you explain how the underscore is treated by Splunk? I see they are dropped at search times.

I am seeing a log that has:
_message="some words"

But it's extracted automatically as:
message=""

Would there be any value in me fixing _message to message at index-time?

0 Karma

renjith_nair
Legend

It's done by transforms during search time field extraction. You can disable it by setting below property in transforms.conf

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time. 
  "Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
  than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as 
  well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include 
  non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.

You shoud be careful with that though or disable it only for certain sourcetypes. See here for more info

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair
Legend

@daniel333 , please mark as answer if it's resolved your issue so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

daniel333
Builder

So based on what I think you're saying here. Is that there might be value in saving some field extraction at search time if I can correct this at ingestion time?

0 Karma

daniel333
Builder

So I am looking at about 20 million events an hour with this _. I am thoerizing that it will save some time on field extraction by using a props.conf SEDCMD on our heavy forwarders.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...