Splunk Search

make extract command overwrite fields

Path Finder

I have a field that looks like this:

I put in a stanza in transforms that looks like this:

DELIMS="*" "="

Then I run a search like this:

index=something | extract star_equals

That works great for everything except the first key/value pair.

When splunk first does it's auto extract, it thinks
key1 has a value of value1*key2=value2*...

When I run the extract command, the value for key1 does not get overwritten.

I can't turn off splunk auto extractions (too much other stuff would break).

If I put in a "field - key1" before the extract, eveything works great, but I won't know what the first key will be, so that's not an option.

Any other ideas?

0 Karma


Can you include the character that is before the first field in DELIMS?

or if this is a sub part of the log, can you extract all the fields as one field, then process that field in a seperate regex?

0 Karma


if you have something like this:
Aug 30 12:34:54 "key1=value1*key2=value2*key3=value3"
then you can extract the keys as a single field.
From this field, you can then extract your keys.

0 Karma

Path Finder

Thanks for the idea,
I'm not really following what you meant in the second part (this field is a subpart of the entire event). I do have this part extracted into a field. Are you talking about a new section in the transforms.prop file?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!