Iterative fields with spaces in values

michaelbrunetto · ‎02-20-2013

I'm having trouble with the way Splunk parses some of my logs which has field=value pairs that have values with unquoted values with spaces. Example:
_raw = some|segmented|text|field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

I've already broken it up so I get the following field:
GENERIC = field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

The problem is Splunks parsing automatically determines this:
field1=value1
field2=value2
field3=a
field4=my
field5=value5
field6=one

should be:
field1=value1
field2=value2
field3=a third value
field4=my forth value
field5=value5
field6=one more with spaces

I've tried using regexes with rex, but the problem is that all of these fields are optional, and I don't necessarily have a complete list of fields yet.
Most recently I've been trying to use sed to put a \n in front of anything with an = sign after it, but that hasn't worked so well.

Good news is, from everything I can tell, the fields don't have spaces in them.
{edited for formatting}

martin_mueller · ‎02-21-2013

You could build a regex that looks for field2= or $ after extracting field1=[^=]+, that way it should walk right up to the next field name but not include it.

Iterative fields with spaces in values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Iterative fields with spaces in values

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?