kv extract escape keyword

Question

using the opsec lea app and noticed that two of the default kv extract key/value pairs werent working for me. The log entry for the relevant key/value was i/f_dir and i/f_name not i_f_dir and i_f_name. I tried to escape the / in the key but that failed as the extracted format was f_name and f_dir.

How do you escape the / in the key?

i///f_dir
i\/fdir
i//f_dir

Here is the attempted setting in props.conf I know its failing as the key displayed in the seach window is not direction and inbound_interface instead its f_name and f_dir.

[if_dir]
#had to modify from i_f_dir
SOURCE_KEY=i//f_dir
REGEX=(.*)
FORMAT=direction::$1

[if_name]
#had to modify from i_f_name
SOURCE_KEY=i//f_name
REGEX=(.*)
FORMAT=inbound_interface::$1

Accepted Answer

0	Can you provide an example of a log line? By default during kv extraction splunk replaces non alphanumeric characters in keys with '_' to make working with fields easier. link answered 12 Jul '10, 16:09 Ledion Bitincka ♦ 1.5k●3●6 accept rate: 35%

Answer 2

0	the new version of the checkpoint binary solves this problem for me. the names of the fields are now named and extracted properly. thanks for the follow up Eric link answered 27 Oct '11, 08:47 EricPartington 304●7 accept rate: 50%

kv extract escape keyword

Follow this question

Splunk Resources

Related questions