Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Solved] How to extract fields with a space in a field name?

AlexeySh
Communicator
‎04-26-2019 05:34 AM

[edit - a workaround was found in the comments]

Hello,

We try to export VMware inventory to Splunk. A raw Splunk event looks like this:

VM="Template Debian 9", Powerstate="poweredOn", IP Address="100.100.100.100", Cluster="My Cluster Name", VM ID="12345", ... etc.

Splunk extracts perfectly well all fields without spaces in field name, like VM, Cluster, Powerstate, etc. But it can't extract the fields with spaces, like IP Address, VM ID, etc.; they are visible only in raw data, but not as fields.

We tried to use a rex command like that one:

rex field="IP Address" mode=sed "s/ /_/g"

but we didn't succeed.

Do you have any idea how we could extract these fields?

Thanks for the help.

0 Karma
Reply

PowerPacked
Builder
‎04-26-2019 12:04 PM

Hi

Check with CLEAN_KEYS setting in props.conf, if it can help.

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2019 05:58 AM

What are the props.conf settings for the sourcetype you are using for the data?
Splunk will parse key=value data quite well with the default settings, but does not handle embedded spaces without customization.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AlexeySh
Communicator
‎04-26-2019 06:40 AM

Actually we use DB Connect app to perform a query like "SELECT * FROM ".

And now you made me think that we can change field name directly in the DB Connect query!

Sometime you just need a second brain to think 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-26-2019 11:23 AM

Yes, you can. If that solves your problem then please come back to answer the question and accept it to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...