Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

can extract pairdelim be limited to a single field?

cphair
Builder
‎02-25-2015 05:29 AM

Splunk automatically extracts certain fields in my Windows event logs, the ones that are specified key=value. Sometimes the Message field has its own set of key-value pairs separated by a colon, one per line, and I want to treat those as named fields too. If I run extract pairdelim="[\r\n]+" kvdelim=":", it extracts the key-value pairs in the Message field as new fields, but it also makes multivalue every field that had been extracted before. Is there a way to tell it not to do that?

0 Karma
Reply

nmanolak
Engager
‎12-02-2015 01:46 PM

You can override _raw and wipe out the old fields 

... | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":"

a little more complicated is to keep the origraw and replace at end

... | eval origraw = _raw | rename empty as _raw | rename _raw as yourfield | extract pairdelim="[\r\n]+" kvdelim=":" | rename origraw as _raw
0 Karma
Reply

cphair
Builder
‎02-25-2015 05:34 AM

It seems to undo the multivaluing if I run a stats first(*) by _time host RecordNumber, but this seems a little silly.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...