Solved: How to stop field extractions from within path and...

proylea · ‎05-16-2018

How do you stop Splunk pulling fields out of paths and url fields like this one

path="/portal.php?mod=portalcp&ac=comment&op=reply&aid=561514&infloat=yes&handlekey=c_&referer=http%3A%2F%2Fwww.backchina.com%2Fportal.php%3Fmod%3Dcomment%26id%3D561514%26idtype%3Daid%26page%3D2&inajax=1&ajaxtarget=fwin_content_c_"

I've extracted the path field in props.conf and it works, but Splunk also pulls out every other keyvalue pair
mod=
ac=
etc etc etc

These fields are turning up in Splunk ES as weird user names and http_method values.

cpetterborg · ‎05-16-2018

You can probably do it with setting KV_MODE=none in the props.conf file for the sourcetype (or source, whichever works for you case). This was already answered this way in:

https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html

It seemed to work for the person in that posting.

View solution in original post

cpetterborg · ‎05-16-2018

You can probably do it with setting KV_MODE=none in the props.conf file for the sourcetype (or source, whichever works for you case). This was already answered this way in:

https://answers.splunk.com/answers/74720/disable-automatic-field-extraction.html

It seemed to work for the person in that posting.

proylea · ‎05-17-2018

awesome thanks cp works good 🙂

proylea · ‎05-18-2018

Thanks cp all sorted

cpetterborg · ‎05-17-2018

Not that I'm fishing for the karma points, but if you accept this answer, then others will know that this question has been answered satisfactorily. Thanks!! 🙂

How to stop field extractions from within path and url fields

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases