How do you stop Splunk pulling fields out of paths and url fields like this one
path="/portal.php?mod=portalcp&ac=comment&op=reply&aid=561514&infloat=yes&handlekey=c_&referer=http%3A%2F%2Fwww.backchina.com%2Fportal.php%3Fmod%3Dcomment%26id%3D561514%26idtype%3Daid%26page%3D2&inajax=1&ajaxtarget=fwin_content_c_"
I've extracted the path field in props.conf and it works, but Splunk also pulls out every other keyvalue pair
mod=
ac=
etc etc etc
These fields are turning up in Splunk ES as weird user names and http_method values.
You can probably do it with setting KV_MODE=none
in the props.conf
file for the sourcetype (or source, whichever works for you case). This was already answered this way in:
https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html
It seemed to work for the person in that posting.
You can probably do it with setting KV_MODE=none
in the props.conf
file for the sourcetype (or source, whichever works for you case). This was already answered this way in:
https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html
It seemed to work for the person in that posting.
awesome thanks cp works good 🙂
Thanks cp all sorted
Not that I'm fishing for the karma points, but if you accept this answer, then others will know that this question has been answered satisfactorily. Thanks!! 🙂