Iterative fields with spaces in values

michaelbrunetto · ‎02-20-2013

I'm having trouble with the way Splunk parses some of my logs which has field=value pairs that have values with unquoted values with spaces. Example:
_raw = some|segmented|text|field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

I've already broken it up so I get the following field:
GENERIC = field1=value1 field2=value2 field3=a third value field4=my forth value field5=value5 field6=one more with spaces

The problem is Splunks parsing automatically determines this:
field1=value1
field2=value2
field3=a
field4=my
field5=value5
field6=one

should be:
field1=value1
field2=value2
field3=a third value
field4=my forth value
field5=value5
field6=one more with spaces

I've tried using regexes with rex, but the problem is that all of these fields are optional, and I don't necessarily have a complete list of fields yet.
Most recently I've been trying to use sed to put a \n in front of anything with an = sign after it, but that hasn't worked so well.

Good news is, from everything I can tell, the fields don't have spaces in them.
{edited for formatting}

martin_mueller · ‎02-21-2013

You could build a regex that looks for field2= or $ after extracting field1=[^=]+, that way it should walk right up to the next field name but not include it.

Iterative fields with spaces in values

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!