Splunk automatically extracts certain fields in my Windows event logs, the ones that are specified key=value. Sometimes the Message field has its own set of key-value pairs separated by a colon, one per line, and I want to treat those as named fields too. If I run extract pairdelim="[\r\n]+" kvdelim=":"
, it extracts the key-value pairs in the Message field as new fields, but it also makes multivalue every field that had been extracted before. Is there a way to tell it not to do that?
You can override _raw and wipe out the old fields
... | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":"
a little more complicated is to keep the origraw and replace at end
... | eval origraw = _raw | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":" | rename origraw as _raw
It seems to undo the multivaluing if I run a stats first(*) by _time host RecordNumber, but this seems a little silly.