Splunk Search

How does Splunk log keyword pair extraction overwrites field value unintentionally?

burwell
SplunkTrust
SplunkTrust

I have a log of the form

  <timestamp> field1 field2 field3 field4 urlfield ....

For example:

<timestamp>   field1  field2   field3  field4   http://mydomain.com?field2=blah

So what happens is that when a user uses one of my fields in an url, I don't get the true value of field2 (from my log) but instead Splunk is doing the keyvalue pair extraction for me and field2 is set to blah.

How do people generally handle this case?

0 Karma

niketn
Legend

@burwell can you add some sample events? You can mock/anonymize any sensitive data. Also share your props.conf and transforms.conf (if it is used for field extraction). What is the configuration you are using for extraction of field1, field2 etc? Are these actually extracted through regex or delimited string? By any chance is the source of data is csv file?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

efavreau
Motivator

I rex the fields and name them something different

###

If this reply helps you, an upvote would be appreciated.
0 Karma

p_gurav
Champion

Can you try to disable auto KV (so set KV_MODE=none)?

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...