Splunk Search

how to tell splunk automatically extract fields with symbols besides "="

Contributor

Splunk can extract fields when events contain "key=value" strings
Could I tell splunk to extract fields automatically for me when meets "key:value" or "key\s*:\s*value" strings?

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Hi crazyeva,

Splunk is using event segmentation, you can read all details in the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/Abouteventsegmentation

Hope this helps ...

cheers, MuS

0 Karma

SplunkTrust
SplunkTrust

btw : is included in the default list of minor segments Default is / : = @ . - $ # % \\ _

0 Karma

SplunkTrust
SplunkTrust

I'm unsure if you were asking about event segmentation so I'm typing this alternative comment to MuS's completely valid answer!

If the question was about extracting the fields at search time, you could use the extract command to show events with the key:value, however I don't think it would work with the spaces...
The extract command could be used for testing auto-recognizing the key:value pairs.

If you wanted to make anything that you used in the extract command always apply at search time you would change the DELIMS setting in transforms.conf

SplunkTrust
SplunkTrust

and another valid approach would be to use props.conf and transforms.conf :
props.conf

[mySourceType]
REPORT-000-mySpecialSegmentation = mySpecialSegmentation

transforms.conf

[mySpecialSegmentation]
REGEX = ([^\s]+)\s+:\s+([^\r\n]+)
FORMAT = $1::$2

This will work as long as your key has no spaces in it, otherwise the regex needs some adaption.

0 Karma

SplunkTrust
SplunkTrust

Would your above example work for multiple fields ? For example:
key:value random text key2:value2 xxx key3:value3

Would it get just the first key:value or all 3 ?
I'm assuming to get all 3 might be more tricky...but I'm not sure

0 Karma

SplunkTrust
SplunkTrust

Not quiet sure because never tested, but my guess would be it either picks up the first or the last match but not all.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!