Can you tell Auto KV to honor values within single...

Lowell · ‎01-14-2016

I feel like I should know the answer to this, but just in case I missed something....

Splunk automatically handles field extractions for events like this very well:

Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]:  successful login.  user="joe" ip="10.0.0.99"

This works, but it results in all field values wrapped in literal single quotes:

Thu Jan 14 10:46:02 EST 2016 myfakeservice[3]:  successful login.  user='joe' ip='10.0.0.99'

So user is now 'joe' and ip is now '10.0.0.99' (Because the single quotes become part of the field's value.)

Is there a way to make this work more efficiently with Splunk's automatic KV mode ( KV_MODE=auto ) so that single quotes are treated as double quotes are traditionally handled?

I realize this can be done with a REGEX, but I was hoping for a better solution.

woodcock · ‎01-18-2016

You can create your own KV_MODE extractions like this:

props.conf:

REPORT-kvmode = single_quote_kvps

transforms.conf:

[single_quote_kvps]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^=\s]+)='([^']+)'
SOURCE_KEY = _raw

Lowell · ‎01-18-2016

I was hoping that Splunk would have added support for this without requiring a REGEX, but I'm doubtful any such solution exists. My understanding is that dynamic key regex have some negative performance implications. ( $1::$2 )

woodcock · ‎01-19-2016

How do you think the built-in works? Productivity should usually trump performance, although the latter should never be ignored.

Can you tell Auto KV to honor values within single quotes instead of double quotes?

props.conf:

transforms.conf:

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!