Field discovery with multi-value containing space

swapsapar · ‎09-02-2011

Hi,
I'm trying to understand how the Field Discovery part works by default while dealing with a multi-value string containing spaces.
e.g I have like 50 fields similar to following which takes the format key1=value1 with a few exceptions where there are more than one value to the key; key2=value3 value4. Note the "space" between the two values here.

category=auto model=new color=red blue green type=sports

I have a choice of updating my message signature.

Q. I would like to know what is the best way to escape the space between red blue red?
Q. Putting the whole value side in the couble-quotes (") like following would solve this problem?
category=auto model=new color="red blue green" type=sports
Q. Any other alternative?

bbingham · ‎09-03-2011

Putting the value inside quotes will make splunk take "red blue green" as one value for "color", not a multivalue field. You could take this approach and then use:

|makemv delim=" " color

And splunk will make it a multivalue field.

If you'd like splunk to treat the these items as a multivalued field without using the search language, you'll need to setup fields.conf for the regex that defines the different values. Take a look at this portion of the documentation: Multivalue Vields

the example fields.conf file has a great example doing something similar with the email "to" field.

Field discovery with multi-value containing space

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms