I feel like I should know the answer to this, but just in case I missed something....
Splunk automatically handles field extractions for events like this very well:
Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]: successful login. user="joe" ip="10.0.0.99"
This works, but it results in all field values wrapped in literal single quotes:
Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]: successful login. user='joe' ip='10.0.0.99'
So user
is now 'joe'
and ip
is now '10.0.0.99'
(Because the single quotes become part of the field's value.)
Is there a way to make this work more efficiently with Splunk's automatic KV mode ( KV_MODE=auto
) so that single quotes are treated as double quotes are traditionally handled?
I realize this can be done with a REGEX, but I was hoping for a better solution.
You can create your own KV_MODE
extractions like this:
REPORT-kvmode = single_quote_kvps
[single_quote_kvps]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^=\s]+)='([^']+)'
SOURCE_KEY = _raw
I was hoping that Splunk would have added support for this without requiring a REGEX, but I'm doubtful any such solution exists. My understanding is that dynamic key regex have some negative performance implications. ( $1::$2
)
How do you think the built-in works? Productivity should usually trump performance, although the latter should never be ignored.