Related Answers
Download topic as PDF
extract
Description
Extracts field-value pairs from the search results.
Syntax
extract [<extract-options>... ] [<extractor-name>...]
Required arguments
None.
Optional arguments
- <extract-options>
- Syntax: clean_keys=<bool> | kvdelim=<string> | limit=<int> | maxchars=<int> | mv_add=<bool> | pairdelim=<string> | reload=<bool> | segment=<bool>
- Description: Options for defining the extraction. See the Extract_options section in this topic.
- <extractor-name>
- Syntax: <string>
- Description: A stanza in the
transforms.conffile. This is used when theprops.conffile does not explicitly cause an extraction for this source, sourcetype, or host.
Extract options
- clean_keys
- Syntax: clean_keys=<bool>
- Description: Specifies whether to clean keys. Overrides CLEAN_KEYS in the
transforms.conffile. - Default: The value specified in the CLEAN_KEYS in the
transforms.conffile.
- kvdelim
- Syntax: kvdelim=<string>
- Description: A list of character delimiters that separate the key from the value.
- limit
- Syntax: limit=<int>
- Description: Specifies how many automatic key-value pairs to extract.
- Default: 50
- maxchars
- Syntax: maxchars=<int>
- Description: Specifies how many characters to look into the event.
- Default: 10240
- mv_add
- Syntax: mv_add=<bool>
- Description: Specifies whether to create multivalued fields. Overrides the value for the MV_ADD parameter in the
transforms.conffile. - Default: false
- pairdelim
- Syntax: pair=<string>
- Description: A list of character delimiters that separate the key-value pairs from each other.
- reload
- Syntax: reload=<bool>
- Description: Specifies whether to force reloading of the
props.confandtransforms.conffiles. - Default: false
- segment
- Syntax: segment=<bool>
- Description: Specifies whether to note the locations of the key-value pairs with the results.
- Default: false
Usage
The extract command is a distributable streaming command. See Command types.
Alias
The alias for the extract command is kv.
Examples
Example 1:
Extract field-value pairs that are delimited by the pipe or semicolon characters ( |; ). Extract values of the fields that are delimited by the equal or colon characters ( =: ). The delimiters are individual characters. In this example the "=" or ":" character is used to delimit the key value. Similarly, a "|" or ";" is used to delimit the field-value pair itself.
... | extract pairdelim="|;", kvdelim="=:"
Example 2:
Extract field-value pairs and reload field extraction settings from disk.
... | extract reload=true
Example 3:
Extract field-value pairs that are defined in the stanza 'access-extractions' in the transforms.conf file.
... | extract access-extractions
See also
kvform, multikv, rex, spath, xmlkv, xpath
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the extract command.
|
PREVIOUS eventstats |
NEXT fieldformat |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6
Feedback submitted, thanks!