Splunk Search

How to ignore splunk field naming convention during extraction?

Path Finder

Hi,

In case I have a key-value format and the name of the key starting with __ or every other invalid characters,
How can I ignore Splunk from changing the key name and keep it as is?

Thanks for your help

0 Karma

SplunkTrust
SplunkTrust

I believe you can avoid some cleanup (not recommended) if you're using custom field extraction using Field Transforms. Using following attribute:

CLEAN_KEYS = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
* Optional. Controls whether Splunk "cleans" the keys (field names) it
  extracts at search time.
  "Key cleaning" is the practice of replacing any non-alphanumeric
  characters (characters other than those falling between the a-z, A-Z, or
  0-9 ranges) in field names with underscores, as well as the stripping of
  leading underscores and 0-9 characters from field names.
* Add CLEAN_KEYS = false to your transform if you need to extract field
  names that include non-alphanumeric characters, or which begin with
  underscores or 0-9 characters.
* Defaults to true.
0 Karma

SplunkTrust
SplunkTrust

I'm pretty sure you can't do that.

---
If this reply helps you, an upvote would be appreciated.
0 Karma