Re: How to ignore splunk field naming convention d...

shayhibah · ‎02-28-2018

Hi,

In case I have a key-value format and the name of the key starting with __ or every other invalid characters,
How can I ignore Splunk from changing the key name and keep it as is?

Thanks for your help

somesoni2 · ‎03-01-2018

I believe you can avoid some cleanup (not recommended) if you're using custom field extraction using Field Transforms. Using following attribute:

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
  extracts at search time.
  "Key cleaning" is the practice of replacing any non-alphanumeric
  characters (characters other than those falling between the a-z, A-Z, or
  0-9 ranges) in field names with underscores, as well as the stripping of
  leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
  names that include non-alphanumeric characters, or which begin with
  underscores or 0-9 characters.
* Defaults to true.

richgalloway · ‎03-01-2018

I'm pretty sure you can't do that.

---
If this reply helps you, Karma would be appreciated.

How to ignore splunk field naming convention during extraction?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms