Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

ccollord
Explorer
‎03-23-2015 01:28 PM

Hi,
To make a long story short i have some logs that are key value pairs, like so:

foo="bar" dog="cat" frog="bat"
Unfortunately my Windows logging daemon converts to this:

[hostname] data="foo='bar' dog='cat' frog='bat'"

Splunk is actually handling the extractions just fine, except that each value pair is:
'bar', 'cat', 'bat'
(They have the included single-tick in the value.) Is there an easy way to fix this? From Splunk documentation and a blog post from 2008 i've gathered that the quotation marks around the values are called "quoters" and they are not configurable to be different characters like an apostrophe[1]. What else can i do?

[1] http://blogs.splunk.com/2008/02/12/delimiter-based-key-value-pair-extraction/

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2015 01:53 PM

Option 1: use SEDCMD in props.conf on Indexer to format your logs (your can update [hostname] data="foo='bar' dog='cat'" to [hostname] foo="bar" dog="cat" frog="bat")
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Anonymizedatausingconfigurationfiles

Option 2: use search time field extraction to cleanup the values. This can be done per field (field extraction) OR for all fields (field transformation)
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2015 01:53 PM

Option 1: use SEDCMD in props.conf on Indexer to format your logs (your can update [hostname] data="foo='bar' dog='cat'" to [hostname] foo="bar" dog="cat" frog="bat")
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Anonymizedatausingconfigurationfiles

Option 2: use search time field extraction to cleanup the values. This can be done per field (field extraction) OR for all fields (field transformation)
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Createandmaintainsearch-timefieldextract...

Reply
Solved! Jump to solution

ccollord
Explorer
‎03-23-2015 02:09 PM

The SEDCMD looks like it'll work just great for what i need. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...