Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkn
Communicator
07-18-2016
03:45 AM
Hi,
This is sample event. I tried to explore extract command.
index=* sourcetype=orange | extract pairdelim=";", kvdelim=":"
4/18/161:00:00.000 PM 2016-04-18 13:00:00 user:hgfh;std:6;status:success
For the above event its only extracted std as 6 and status as success but not the user. Why is that like. So is it expecting ";" before and after?
And cant we use kvdelim alone in our queries?
index=* sourcetype=orange | extract kvdelim=":"
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tormodbp
Path Finder
07-18-2016
07:10 AM
Try specifying space-character as a pair delimiter as well.
index=* sourcetype=orange | extract pairdelim="; " kvdelim=":"
For me that gave the correct and expected result.
user:hgfh
std:6
status:success
I suspect that since the kv extract is "mid-sentence" it tries to outrule anything that does not fit exactly with the specified pair delimiter. Thus resulting in the return of only two kv-pairs unless you specify space and semicolon as pair delimiters.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tormodbp
Path Finder
07-18-2016
07:10 AM
Try specifying space-character as a pair delimiter as well.
index=* sourcetype=orange | extract pairdelim="; " kvdelim=":"
For me that gave the correct and expected result.
user:hgfh
std:6
status:success
I suspect that since the kv extract is "mid-sentence" it tries to outrule anything that does not fit exactly with the specified pair delimiter. Thus resulting in the return of only two kv-pairs unless you specify space and semicolon as pair delimiters.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkn
Communicator
07-18-2016
11:34 PM
Thanks tomodbp. Its worked !! aren't we able to use kvdelim alone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tormodbp
Path Finder
07-19-2016
12:04 AM
No problem!
I would think that you should be able to, but I am unable to find any documentation to support that claim. I've tried to experiment with the parameters. So far I have not found any other solution using ´kv´ / ´extract´, sorry.
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
