Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

ccollord
Explorer
‎03-23-2015 01:28 PM

Hi,
To make a long story short i have some logs that are key value pairs, like so:

foo="bar" dog="cat" frog="bat"
Unfortunately my Windows logging daemon converts to this:

[hostname] data="foo='bar' dog='cat' frog='bat'"

Splunk is actually handling the extractions just fine, except that each value pair is:
'bar', 'cat', 'bat'
(They have the included single-tick in the value.) Is there an easy way to fix this? From Splunk documentation and a blog post from 2008 i've gathered that the quotation marks around the values are called "quoters" and they are not configurable to be different characters like an apostrophe[1]. What else can i do?

[1] http://blogs.splunk.com/2008/02/12/delimiter-based-key-value-pair-extraction/

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2015 01:53 PM

Option 1: use SEDCMD in props.conf on Indexer to format your logs (your can update [hostname] data="foo='bar' dog='cat'" to [hostname] foo="bar" dog="cat" frog="bat")
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Anonymizedatausingconfigurationfiles

Option 2: use search time field extraction to cleanup the values. This can be done per field (field extraction) OR for all fields (field transformation)
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2015 01:53 PM

Option 1: use SEDCMD in props.conf on Indexer to format your logs (your can update [hostname] data="foo='bar' dog='cat'" to [hostname] foo="bar" dog="cat" frog="bat")
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Anonymizedatausingconfigurationfiles

Option 2: use search time field extraction to cleanup the values. This can be done per field (field extraction) OR for all fields (field transformation)
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply
Solved! Jump to solution

ccollord
Explorer
‎03-23-2015 02:09 PM

The SEDCMD looks like it'll work just great for what i need. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...