Documentation > Splunk > Search Reference > extract (kv)

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

extract (kv)

Contents

extract (kv)

Synopsis

Extracts field-value pairs from search results.

Syntax

extract | kv <extract-opt>* <extractor-name>*

Required arguments

<extract-opt>
Syntax: auto=<bool> | clean_keys=<bool> | kvdelim=<string> | limit=<int> | maxchars=<int> | mv_add=<bool> | pairdelim=<string> | reload=<bool> | segment=<bool>
Description: Options for defining the extraction.
<extractor-name>
Syntax: <string>
Description: A stanza that can be found in transforms.conf. This is used when props.conf did not explicitly cause an extraction for this source, sourcetype, or host.

Extract options

auto
Syntax: auto=<bool>
Description: Specifies whether to perform automatic "=" based extraction. Defaults to true.
clean_keys
Syntax: clean_keys=<bool>
Description: Specifies whether to clean keys. Overrides CLEAN_KEYS from transforms.conf.
kvdelim
Syntax: kvdelim=<string>
Description: Specify a list of character delimiters that separate the key from the value.
limit
Syntax: limit=<int>
Description: Specifies how many automatic key/value pairs to extract. Defaults to 50.
maxchars
Syntax: maxchars=<int>
Description: Specifies how many characters to look into the event. Defaults to 10240.
mv_add
Syntax: mv_add=<bool>
Description: Specifies whether to create multivalued fields. Overrides MV_ADD from transforms.conf.
pairdelim
Syntax: pair=<string>
Description: Specify a list of character delimiters that separate the key-value pairs from each other.
reload
Syntax: reload=<bool>
Description: Specifies whether to force reloading of props.conf and transforms.conf. Defaults to false.
segment
Syntax: segment=<bool>
Description: Specifies whether to note the locations of key/value pairs with the results. Defaults to false.

Description

Forces field-value extraction on the result set.

Examples

Example 1: Extract field/value pairs that are delimited by "|;", and values of fields that are delimited by "=:". Note that the delimiters are individual characters. So in this example the "=" or ":" will be used to delimit the key value. Similarly, a "|" or ";" will be used to delimit against the pair itself.

... | extract pairdelim="|;", kvdelim="=:", auto=f

Example 2: Extract field/value pairs and reload field extraction settings from disk.

... | extract reload=true

Example 3: Extract field/value pairs that are defined in the transforms.conf stanza 'access-extractions'.

... | extract access-extractions

See also

kvform, multikv, rex, xmlkv,

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the extract command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/Extract"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!