Extracting commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Extracting commands
Extracting commands allow you to extract fields from your raw event data.
extract
This data-processing command extracts key-value pairs from search results. It will take the key value pairs that are present in the search string and insert them as reportable fields into the event.
You can specify specific transform stanza names from transforms.conf for it to extract. Extract is useful for testing out any new regex rules you add in transforms.conf.
Syntax
extract [extract-options] transform_stanza_names
Note: kv can be used in place of extract in the syntax.
Arguments
extract-options
| extract-options= | auto | reload | limit | maxchars | | Options to tune how your key-value extraction performs. |
| auto= | auto=T | F (T) | If set, specifies automatic '=' based extraction. |
| reload= | reload=T | F (F) | If set, forces the reloading of props.conf and transforms.conf. |
| limit= | limit=integer (50) | Specifies the number of key/value pairs to extract. |
| maxchars= | maxchars=integer (10240) | Specifies the maximum number of characters to look into a single event. |
| transform_stanza_names= | name of stanza(s) | A stanza in transforms.conf. Use this when props.conf does not explicitly cause an extraction. |
Examples
SplunkWeb:
- | extract reload = true
- Searches all, and extracts key/value pairs while reloading settings from disk.
CLI:
./splunk search "* | extract reload = true"
- Search all and reload the extracted field settings to apply configuration changes.
multikv
This data-processing command extracts fields from events with information in a tabular format. A new event is created for each table row. Field names are derived from the title row of the table.
Syntax
multikv [multikv-option]...
Arguments
multikv-option
| multikv-option= | copyattrs | fields | filter | forceheader | multitable | noheader | rmorig | Options available for multikv processing. |
| copyattrs= | copyattrs=T | F (T) | If set, turns on the copying of non-field attributes from the original event to extracted events. |
| fields= | field1,...,fieldx | Space or comma-separated list of fields to include in extracted multikv extracted events. Fields not included are filtered out. |
| filter= | field1,...,fieldx | Space or comma-separated list of fields. A table-row must contain one of the fields in the list in order to be extracted into an event during multikv processing. |
| forceheader= | forceheader=line number(integer) | Allows you to specify a line number to be the table's header. |
| multitable= | multitable=T | F (T) | If set, enables multiple tables to be able to be in a single _raw entry. |
| noheader= | noheader=T | F (F) | If set, allows tables with no header. If not set, fields are named: column1, column2,... |
| rmorig= | rmorig=T | F (T) | If set, removes the original events from the result set. |
Examples
SplunkWeb:
multikv fields COMMAND filter splunkd- Extracts the COMMAND field and only from rows that contain "splunkd".
CLI:
./splunk search "* | multikv fields COMMAND filter splunkd"
- Extracts the COMMAND field and only from rows that contain "splunkd".
./splunk search "* | multikv forceheader=6"
- Extract information and tell multikv that the header line for the table is line #6.
xmlkv
This data-processing command finds all key value pairs of the form bar, where foo is the key and bar is the value from the raw data. This is useful in finding key-value pairs in xml-formatted data (such as transactions from webpages). Add maxinputs to the end of your search to specify the number of events to pass to the command. The default is 100.
Syntax
xmlkv
Arguments
maxinputs
Examples
SplunkWeb:
NOT Completed orderId::* index::metaevents | xmlkv- Searches for incomplete orders in the index "metaevents". Then it will match key-value pairs that are in xml format. It sets the key to the value in the tags, and the value between the tags as the value of the pair.
NOT Completed orderId::* index::metaevents | xmlkv maxinputs=1000- As above, specifying the first 1000 events.
CLI:
./splunk search "NOT Completed orderId::* index::metaevents | xmlkv"
- Searches for incomplete orders in the index "metaevents". Then it will match key-value pairs that are in xml format. It sets the key to the value in the tags, and the value between the tags as the value of the pair.
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.