Knowledge Management

is there a way that autoKV can support both spaces and quote chars in field values?

sideview
SplunkTrust
SplunkTrust

I'm writing an app that's based on a scripted input, and I'm trying to just dump out my key value pairs so the field extraction will be handled by autoKV.

someField=bar  someOtherField=12.4

Some of my field values can have space characters in them, but that's OK -- if you dig around in the docs the answer for that is to wrap the values in quotes and then autoKV will be tolerant of space characters:

someField="foo bar" someOtherField="12.4"

However if the field values also contain quote characters, I dont think there's any way to get autoKV to index the value correctly.

eg: someField="foo \" bar"

results a field value of "foo \".

I had hoped that autoKV would be smart enough to extract it as foo " bar, or failing that, as 'foo \" bar'

Any ideas, or do I have to switch to a csv approach?

Tags (2)

Ledion_Bitincka
Splunk Employee
Splunk Employee

This is a known issue and we're working on adding support for escape characters within quoted values in for autokv. Should land in our next major release (5.0)

0 Karma

Lowell
Super Champion

Looks like this can be done using KV_MODE=auto_escaped in props.conf.

0 Karma

hazekamp
Builder

Nick,

I had success w/ turning off KV and using DELIMS.

## props.conf
[<your_sourcetype>]
KV_MODE = none
REPORT-kv_for_your_sourcetype = kv_for_your_sourcetype

## transforms.conf
[kv_for_wookie]
DELIMS = " ", "="

sideview
SplunkTrust
SplunkTrust

I actually havent been able to get back to working on this particular app. Others have been bumped up in priority. I'll probably be back on this next week though and I'll update then at least.

0 Karma

jeffa
Path Finder

Nick, were you able to work around this using delims, or other? Having the same issue w/ a scripted input.

0 Karma

sideview
SplunkTrust
SplunkTrust

Thanks hazedav! I'll be back on this tomorrow and I'll give it a shot then.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...