Using SPATH notation in conf files

danielwysockiar · ‎08-31-2018

Hi guys,
I need to uto extract fields and values during search time using SPATH notation in props.conf and transforms.conf filles.
I know that there are more convinient ways to do that, but I have to do it this way.

I know how to use spath in SPL, but can someone let me know what the syntax in the .conf file should look like?
I cannot not find it in any docs or answers.
Thank in advance.

sudosplunk · ‎08-31-2018

Hi,

Are you looking for this?

danielwysockiar · ‎08-31-2018

Not exactly, I need search-time extraction defined in .conf files, not indexed extractions.
I can not find how to use spath in props.conf.

sudosplunk · ‎08-31-2018

KV_MODE is used for search-time field extractions only. These are the values you can set for KV_MODE,

none: if you want no field/value extraction to take place.
- auto: extracts field/value pairs separated by equal signs.
- auto_escaped: extracts fields/value pairs separated by equal signs and honors \" and \ as escaped sequences within quoted values, e.g field="value with \"nested\" quotes"
- multi: invokes the multikv search command to expand a tabular event into multiple events.
- xml : automatically extracts fields from XML data.
- json: automatically extracts fields from JSON data.

Using SPATH notation in conf files

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life