Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there any way to *selectively* avoid automatic field extraction?

sideview
SplunkTrust
SplunkTrust
‎02-11-2011 09:42 PM

I have multiline events where there's a fair bit of auto-kv extraction that is good, but then there's a lot of noise as well.

I can create regexes to match the really noisy bits and this works well. I nearly get perfect coverage on the high-value fields that I actually need.

The problem is that even when I have a regex matching, sometimes the same field appears in a foo=bar pair further down into the event, and the autoKV match is clobbering my more explicit regex match. Can someone point me in the right direction? (Obviously the answer is to make the logging less deranged, but it's not an option atm unfortunateley)

-------------------------------------
Fields: Field=GoodValue;foo=bar;jackiechan=theman
AnotherGoodField = AnotherGoodValue
User = bob
.....
Field : BadNoisyValueThatClobbersMyGoodValue
-------------------------------------

One idea is - can I tell the autokv stuff not to pay attention to colons? All the colon stuff is hideously noisy in this sourcetype.

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-11-2011 10:35 PM

You could disable KV discovery for a particular source, host, or sourcetype in props.conf. Maybe this would help:

PROPS.CONF:

[mysourcetype]
KV_MODE = none
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:55 AM

The colon matching isn't handled by the KV_MODE switch, but by a different search-time extract.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-15-2011 01:54 AM

It does the colon matching in WinEventLog:: (and maybe WMI::) sourcetypes.

Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2011 08:08 PM

The trouble is that there's a huge number of fields for which I need the normal equals sign autokv extraction to work. I tried specifying a manual regex for equals but there's a bunch of subtlety that autokv just does really well when you look at it under a microscope and I couldnt get the manual regex to the desired standard.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-12-2011 08:04 PM

From what I can tell it's definitely matching colons all over the place.

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-11-2011 10:37 PM

I don't believe it looks for colons, by default.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...