Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to stop field extractions from within path and url fields

proylea
Contributor
‎05-16-2018 07:48 PM

How do you stop Splunk pulling fields out of paths and url fields like this one

path="/portal.php?mod=portalcp&ac=comment&op=reply&aid=561514&infloat=yes&handlekey=c_&referer=http%3A%2F%2Fwww.backchina.com%2Fportal.php%3Fmod%3Dcomment%26id%3D561514%26idtype%3Daid%26page%3D2&inajax=1&ajaxtarget=fwin_content_c_"

I've extracted the path field in props.conf and it works, but Splunk also pulls out every other keyvalue pair
mod=
ac=
etc etc etc

These fields are turning up in Splunk ES as weird user names and http_method values.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎05-16-2018 08:14 PM

You can probably do it with setting KV_MODE=none in the props.conf file for the sourcetype (or source, whichever works for you case). This was already answered this way in:

https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html

It seemed to work for the person in that posting.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎05-16-2018 08:14 PM

You can probably do it with setting KV_MODE=none in the props.conf file for the sourcetype (or source, whichever works for you case). This was already answered this way in:

https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html

It seemed to work for the person in that posting.

Reply
Solved! Jump to solution

proylea
Contributor
‎05-17-2018 03:02 PM

awesome thanks cp works good 🙂

0 Karma
Reply
Solved! Jump to solution

proylea
Contributor
‎05-18-2018 03:11 PM

Thanks cp all sorted

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎05-17-2018 03:53 PM

Not that I'm fishing for the karma points, but if you accept this answer, then others will know that this question has been answered satisfactorily. Thanks!! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...