All Apps and Add-ons

Which character(s) are not considered delimiters in field values?

marnee
Explorer

I have a field with multiple values that would normally be delimited by a comma:

Field=value1,value2,value3

In Splunk, the Field value will just show "value1".

I want to alter the log message itself to use a delimiter other than comma such that Splunk sees the entire value by default. What characters would work? (I'm sure this is probably documented somewhere, but I could not find it.)

(Note: I see a lot of answers on how to get all values delimited by comma by writing custom field extraction or custom queries in Splunk. However, I don't want to add special processing in Splunk in this case, since we have dozens of people in this case who will just look at "Field" and likely will be perplexed that it doesn't contain all values. Therefore, I want to alter the log message itself and allow Splunk to grab the entire value by default.)

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Just about any separator you choose would be considered a delimiter by Splunk. The best way to alter the log message is to put quotation marks (") around the value as in Field="value1,value2,value3".

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

woodcock
Esteemed Legend

Take a nap and an aspirin and then google splunk segmenters.conf.

0 Karma

marnee
Explorer

The snark was not necessary, and the "tip" was unhelpful.

woodcock
Esteemed Legend

I am sorry that I was ambiguous and in my unclarity, you took it the opposite way that I intended (I can see how this could be easily mis-interpreted); please do forgive me after I explain. What I meant was that you asked what appeared to you to be a very simple question, but it turns out that it is grotesquely complicated, so much so, that it will hurt your brain (asprin) and wear you out (nap). Thank you for your followup comment which allowed me to see my blunder and give me the opportunity to clarify!
Here is what I meant:
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf
https://docs.splunk.com/Documentation/Splunk/latest/Data/Setthesegmentationforeventdata
https://docs.splunk.com/Documentation/Splunk/latest/Data/Abouteventsegmentation
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Segmentersconf

marnee
Explorer

LOL, no problem, that makes more sense.

Thanks much for the clarification and the links.

richgalloway
SplunkTrust
SplunkTrust

Just about any separator you choose would be considered a delimiter by Splunk. The best way to alter the log message is to put quotation marks (") around the value as in Field="value1,value2,value3".

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

marnee
Explorer

Thanks. That is exactly what I needed.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!