All,
Can you explain how the underscore is treated by Splunk? I see they are dropped at search times.
I am seeing a log that has:
_message="some words"
But it's extracted automatically as:
message=""
Would there be any value in me fixing _message to message at index-time?
It's done by transforms during search time field extraction. You can disable it by setting below property in transforms.conf
CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it extracts at search time.
"Key cleaning" is the practice of replacing any non-alphanumeric characters (characters other
than those falling between the a-z, A-Z, or 0-9 ranges) in field names with underscores, as
well as the stripping of leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field names that include
non-alphanumeric characters, or which begin with underscores or 0-9 characters.
* Defaults to true.
You shoud be careful with that though or disable it only for certain sourcetypes. See here for more info
@daniel333 , please mark as answer if it's resolved your issue so that the thread will be closed
So based on what I think you're saying here. Is that there might be value in saving some field extraction at search time if I can correct this at ingestion time?
So I am looking at about 20 million events an hour with this _. I am thoerizing that it will save some time on field extraction by using a props.conf SEDCMD on our heavy forwarders.