Documentation > Splunk > Search Reference > extract

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

extract

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

extract

Synopsis

Extracts field-value pairs from search results.

Syntax

extract [<extract-opt>]* [<extractor-name>]*

Arguments

<extract-opt>
Syntax: auto=<bool> | clean_keys=<bool> | kvdelim=<string> | limit=<int> | maxchars=<int> | mv_add=<bool> | pairdelim=<string> | reload=<bool> | segment=<bool>
Description: Options for defining the extraction.
<extractor-name>
Syntax: <string>
Description: A stanza that can be found in transforms.conf. This is used when props.conf did not explicitly cause an extraction for this source, sourcetype, or host.

Extract options

auto
Syntax: auto=<bool>
Description: Specifies whether to perform automatic "=" based extraction, default is true.
clean_keys
Syntax: clean_keys=<bool>
Description: Specifies whether to clean keys. Overrides CLEAN_KEYS from transforms.conf.
kvdelim
Syntax: kvdelim=<string>
Description: Specify a list of character delimiters that separate the key from the value.
limit
Syntax: limit=<int>
Description: Specifies how many automatic key/value pairs to extract, default is 50.
maxchars
Syntax: maxchars=<int>
Description: Specifies how many characters to look into the event, default is 10240.
mv_add
Syntax: mv_add=<bool>
Description: Specifies whether to create multivalued fields. Overrides MV_ADD from transforms.conf.
pairdelim
Syntax: pair=<string>
Description: Specify a list of character delimiters that separate the key-value pairs from each other.
reload
Syntax: reload=<bool>
Description: Specifies whether to force reloading of props.conf and transforms.conf, default is false.
segment
Syntax: segment=<bool>
Description: Specifies whether to note the locations of key/value pairs with the results, default is false.

Description

Forces field-value extraction on the result set.

Examples

Example 1: Extract field/value pairs that are delimited by "|;", and values of fields that are delimited by "=:".

... | extract pairdelim="|;", kvdelim="=:", auto=f

Example 2: Extract field/value pairs and reload field extraction settings from disk.

... | extract reload=true

Example 3: Extract field/value pairs that are defined in the transforms.conf stanza 'access-extractions'.

... | extract access-extractions


See also

kvform, multikv, rex, xmlkv

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0/SearchReference/Extract"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!