Splunk Search

make extract command overwrite fields

kkalmbach
Path Finder

I have a field that looks like this:
key1=value1*key2=value2*key3=value3

I put in a stanza in transforms that looks like this:

[star_equals]
SOURCE_KEY=my_field
DELIMS="*" "="

Then I run a search like this:

index=something | extract star_equals

That works great for everything except the first key/value pair.

When splunk first does it's auto extract, it thinks
key1 has a value of value1*key2=value2*...

When I run the extract command, the value for key1 does not get overwritten.

I can't turn off splunk auto extractions (too much other stuff would break).

If I put in a "field - key1" before the extract, eveything works great, but I won't know what the first key will be, so that's not an option.

Any other ideas?

0 Karma

fk319
Builder

Can you include the character that is before the first field in DELIMS?


or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?

0 Karma

fk319
Builder

if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.

0 Karma

kkalmbach
Path Finder

Thanks for the idea,
I'm not really following what you meant in the second part (this field is a subpart of the entire event). I do have this part extracted into a field. Are you talking about a new section in the transforms.prop file?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...