Solved: Recommended kv extract syntax

bowa · ‎03-30-2011

What would be the recommended syntax for writing kv pairs in our logs to easily get extracted by splunk. (performance wise and robustness)

key1="String value", key2="Another, string, value", key3=123

I want it to support string value (so they can contain the delimiter character), quoted or not, but i want it to be able to contain the delimiter sequence. And i want to support numbers.

I am still free to choose the format so please give me recommendations.

ftk · ‎03-30-2011

That format looks good. Here are some other questions that have been asked before on this subject that are helpful:

http://answers.splunk.com/questions/1951/what-is-the-best-custom-log-event-format-for-splunk-to-eat

http://answers.splunk.com/questions/5357/what-is-the-best-timestamp-format-to-use-for-my-custom-log-...

View solution in original post

ftk · ‎03-30-2011

That format looks good. Here are some other questions that have been asked before on this subject that are helpful:

http://answers.splunk.com/questions/1951/what-is-the-best-custom-log-event-format-for-splunk-to-eat

http://answers.splunk.com/questions/5357/what-is-the-best-timestamp-format-to-use-for-my-custom-log-...

Recommended kv extract syntax

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation