Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

make extract command overwrite fields

kkalmbach
Path Finder
‎08-25-2011 08:50 AM

I have a field that looks like this:
key1=value1*key2=value2*key3=value3

I put in a stanza in transforms that looks like this:

[star_equals]
SOURCE_KEY=my_field
DELIMS="*" "="

Then I run a search like this:

index=something | extract star_equals

That works great for everything except the first key/value pair.

When splunk first does it's auto extract, it thinks
key1 has a value of value1*key2=value2*...

When I run the extract command, the value for key1 does not get overwritten.

I can't turn off splunk auto extractions (too much other stuff would break).

If I put in a "field - key1" before the extract, eveything works great, but I won't know what the first key will be, so that's not an option.

Any other ideas?

0 Karma
Reply

fk319
Builder
‎08-29-2011 06:37 AM

Can you include the character that is before the first field in DELIMS?


or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?

0 Karma
Reply

fk319
Builder
‎08-30-2011 06:50 AM

if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.

0 Karma
Reply

kkalmbach
Path Finder
‎08-29-2011 11:43 AM

Thanks for the idea,
I'm not really following what you meant in the second part (this field is a subpart of the entire event). I do have this part extracted into a field. Are you talking about a new section in the transforms.prop file?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...