Splunk Search

How to ignore splunk field naming convention during extraction?

Path Finder


In case I have a key-value format and the name of the key starting with __ or every other invalid characters,
How can I ignore Splunk from changing the key name and keep it as is?

Thanks for your help

0 Karma

Revered Legend

I believe you can avoid some cleanup (not recommended) if you're using custom field extraction using Field Transforms. Using following attribute:

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
  extracts at search time.
  "Key cleaning" is the practice of replacing any non-alphanumeric
  characters (characters other than those falling between the a-z, A-Z, or
  0-9 ranges) in field names with underscores, as well as the stripping of
  leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
  names that include non-alphanumeric characters, or which begin with
  underscores or 0-9 characters.
* Defaults to true.
0 Karma


I'm pretty sure you can't do that.

If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!