Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

make extract command overwrite fields

kkalmbach
Path Finder
‎08-25-2011 08:50 AM

I have a field that looks like this:
key1=value1*key2=value2*key3=value3

I put in a stanza in transforms that looks like this:

[star_equals]
SOURCE_KEY=my_field
DELIMS="*" "="

Then I run a search like this:

index=something | extract star_equals

That works great for everything except the first key/value pair.

When splunk first does it's auto extract, it thinks
key1 has a value of value1*key2=value2*...

When I run the extract command, the value for key1 does not get overwritten.

I can't turn off splunk auto extractions (too much other stuff would break).

If I put in a "field - key1" before the extract, eveything works great, but I won't know what the first key will be, so that's not an option.

Any other ideas?

0 Karma
Reply

fk319
Builder
‎08-29-2011 06:37 AM

Can you include the character that is before the first field in DELIMS?


or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?

0 Karma
Reply

fk319
Builder
‎08-30-2011 06:50 AM

if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.

0 Karma
Reply

kkalmbach
Path Finder
‎08-29-2011 11:43 AM

Thanks for the idea,
I'm not really following what you meant in the second part (this field is a subpart of the entire event). I do have this part extracted into a field. Are you talking about a new section in the transforms.prop file?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...
Top