make extract command overwrite fields

kkalmbach · ‎08-25-2011

I have a field that looks like this:
key1=value1*key2=value2*key3=value3

I put in a stanza in transforms that looks like this:
[star_equals] SOURCE_KEY=my_field DELIMS="*" "="

Then I run a search like this:

index=something | extract star_equals

That works great for everything except the first key/value pair.

When splunk first does it's auto extract, it thinks
key1 has a value of value1*key2=value2*...

When I run the extract command, the value for key1 does not get overwritten.

I can't turn off splunk auto extractions (too much other stuff would break).

If I put in a "field - key1" before the extract, eveything works great, but I won't know what the first key will be, so that's not an option.

Any other ideas?

fk319 · ‎08-29-2011

Can you include the character that is before the first field in DELIMS?

or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?

fk319 · ‎08-30-2011

if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.

kkalmbach · ‎08-29-2011

Thanks for the idea,
I'm not really following what you meant in the second part (this field is a subpart of the entire event). I do have this part extracted into a field. Are you talking about a new section in the transforms.prop file?

make extract command overwrite fields

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas