- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to escape equal signs (=) in key value dat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to escape equal signs (=) in key value data?
Some of our data is logged in key value format separated by an equal sign (=), e.g.:
field1=data1 field2=data2
Splunk's auto-extractions works very well with that. However, if a field's data contains an equal sign, things work, but are not perfect. Take a look at this example:
ComputerNameDn="CN=XD71DDC,OU=Computers,OU=HK,DC=hk,DC=test"
As expected, the field ComputerNameDn is exctracted with the data CN=XD71DDC,OU=Computers,OU=HK,DC=hk,DC=test. So far, so good. But I get additional fields:
CN -> XD71DDC
OU -> Computers
DC -> hk
I don't want those. How can I escape the equal sign in the data so that the additional fields do not get extracted?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create your own KV_MODE extractions like this:
props.conf:
REPORT-kvmode = double_quote_kvps
transforms.conf:
[double_quote_kvps]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^=\s]+)="([^"]+)"
SOURCE_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless I am misreading your regex it breaks when there are escaped double quotes, e.g. MyKey="a=1, b=2, c="1 or 2""
Not sure how to make the backslashes appear correctly in these comments, I am afraid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did not mention escaping double-quotes so I did not address it. My answer does not really change: build your own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I understand that I can define my own extraction with a regex. I would prefer to simply escape the equal sign, though. However, that does not seem to be possible, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct; you can not tune the built-in stuff to that degree; you have to clone your own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcock,
I'm having the same problem that HELGE mentioned.
I have created my own KV_MODE as you gave in the solution but I still get the same error.
Can you confirm that even if I have created my own KV_MODE IT IS NOT POSSIBLE to skip the equal symbol (=)? (Splunk keeps creating different fields whenever it finds an = inside the value).
Introducing Edge Processor: Next Gen Data Transformation
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
Using Machine Learning for Hunting Security Threats
