Splunk Search

How does Splunk log keyword pair extraction overwrites field value unintentionally?

SplunkTrust
SplunkTrust

I have a log of the form

  <timestamp> field1 field2 field3 field4 urlfield ....

For example:

<timestamp>   field1  field2   field3  field4   http://mydomain.com?field2=blah

So what happens is that when a user uses one of my fields in an url, I don't get the true value of field2 (from my log) but instead Splunk is doing the keyvalue pair extraction for me and field2 is set to blah.

How do people generally handle this case?

0 Karma

SplunkTrust
SplunkTrust

@burwell can you add some sample events? You can mock/anonymize any sensitive data. Also share your props.conf and transforms.conf (if it is used for field extraction). What is the configuration you are using for extraction of field1, field2 etc? Are these actually extracted through regex or delimited string? By any chance is the source of data is csv file?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

I rex the fields and name them something different

###

If this reply helps you, an upvote would be appreciated.
0 Karma

Champion

Can you try to disable auto KV (so set KV_MODE=none)?