Hi crazyeva,
Splunk is using event segmentation, you can read all details in the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/Abouteventsegmentation
Hope this helps ...
cheers, MuS
btw :
is included in the default list of minor segments Default is / : = @ . - $ # % \\ _
I'm unsure if you were asking about event segmentation so I'm typing this alternative comment to MuS's completely valid answer!
If the question was about extracting the fields at search time, you could use the extract command to show events with the key:value, however I don't think it would work with the spaces...
The extract command could be used for testing auto-recognizing the key:value pairs.
If you wanted to make anything that you used in the extract command always apply at search time you would change the DELIMS setting in transforms.conf
and another valid approach would be to use props.conf
and transforms.conf
:
props.conf
[mySourceType]
REPORT-000-mySpecialSegmentation = mySpecialSegmentation
transforms.conf
[mySpecialSegmentation]
REGEX = ([^\s]+)\s+:\s+([^\r\n]+)
FORMAT = $1::$2
This will work as long as your key has no spaces in it, otherwise the regex needs some adaption.
Would your above example work for multiple fields ? For example:
key:value random text key2:value2 xxx key3:value3
Would it get just the first key:value or all 3 ?
I'm assuming to get all 3 might be more tricky...but I'm not sure
Not quiet sure because never tested, but my guess would be it either picks up the first or the last match but not all.