How to prevent a space character from delimiting a...

jravida · ‎08-24-2015

Hi folks,

I have some new logs coming in, and I took a look at the fieldname that has a Windows filename in it, and it is being truncated after the space character (if there happens to be one).

The events are coming in via DB Connect, multiline, and I can see the whole filename in the _raw event:

event_guid=ABDC1234-EE33-43F3-ABCDEF
file_size=3432342
source_file=//home.local/home/caddev/usernameish/temp deck overview.pptx
target_path=

So the event is indexing fine, but when I search, and Splunk does it's generic field extraction, the source_file field turns into:

source_file=//home.local/home/caddev/usernameish/temp

Is there a quick way to fix this?

somesoni2 · ‎08-25-2015

The raw file is multiline events OR everything is coming in single line? Does the file name always contain extension of the file??

diogofgm · ‎08-24-2015

you need to build the extraction for that. A quick way is to use the extract fields in the event actions.
Check these splunk docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/ExtractfieldsinteractivelywithIFX

------------
Hope I was able to help you. If so, an upvote would be appreciated.

jravida · ‎08-25-2015

The extract fields utility is broken in my install. I'll have to investigate further, but for now it is erroring out.

How to prevent a space character from delimiting and truncating my filename field?