can extract pairdelim be limited to a single field...

cphair · ‎02-25-2015

Splunk automatically extracts certain fields in my Windows event logs, the ones that are specified key=value. Sometimes the Message field has its own set of key-value pairs separated by a colon, one per line, and I want to treat those as named fields too. If I run extract pairdelim="[\r\n]+" kvdelim=":", it extracts the key-value pairs in the Message field as new fields, but it also makes multivalue every field that had been extracted before. Is there a way to tell it not to do that?

nmanolak · ‎12-02-2015

You can override _raw and wipe out the old fields

... | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":"

a little more complicated is to keep the origraw and replace at end

... | eval origraw = _raw | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":" | rename origraw as _raw

cphair · ‎02-25-2015

It seems to undo the multivaluing if I run a stats first(*) by _time host RecordNumber, but this seems a little silly.

can extract pairdelim be limited to a single field?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

can extract pairdelim be limited to a single field?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!