Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

extract

Description

Extracts field-value pairs from the search results.

Syntax

extract [<extract-options>... ] [<extractor-name>...]

Required arguments

None.

Optional arguments

<extract-options>
Syntax: clean_keys=<bool> | kvdelim=<string> | limit=<int> | maxchars=<int> | mv_add=<bool> | pairdelim=<string> | reload=<bool> | segment=<bool>
Description: Options for defining the extraction. See the Extract_options section in this topic.
<extractor-name>
Syntax: <string>
Description: A stanza in the transforms.conf file. This is used when the props.conf file does not explicitly cause an extraction for this source, sourcetype, or host.

Extract options

clean_keys
Syntax: clean_keys=<bool>
Description: Specifies whether to clean keys. Overrides CLEAN_KEYS in the transforms.conf file.
Default: The value specified in the CLEAN_KEYS in the transforms.conf file.
kvdelim
Syntax: kvdelim=<string>
Description: A list of character delimiters that separate the key from the value.
limit
Syntax: limit=<int>
Description: Specifies how many automatic key-value pairs to extract.
Default: 50
maxchars
Syntax: maxchars=<int>
Description: Specifies how many characters to look into the event.
Default: 10240
mv_add
Syntax: mv_add=<bool>
Description: Specifies whether to create multivalued fields. Overrides the value for the MV_ADD parameter in the transforms.conf file.
Default: false
pairdelim
Syntax: pair=<string>
Description: A list of character delimiters that separate the key-value pairs from each other.
reload
Syntax: reload=<bool>
Description: Specifies whether to force reloading of the props.conf and transforms.conf files.
Default: false
segment
Syntax: segment=<bool>
Description: Specifies whether to note the locations of the key-value pairs with the results.
Default: false

Usage

The extract command is a distributable streaming command. See Command types.

Alias

The alias for the extract command is kv.

Examples

Example 1:

Extract field-value pairs that are delimited by the pipe or semicolon characters ( |; ). Extract values of the fields that are delimited by the equal or colon characters ( =: ). The delimiters are individual characters. In this example the "=" or ":" character is used to delimit the key value. Similarly, a "|" or ";" is used to delimit the field-value pair itself.

... | extract pairdelim="|;", kvdelim="=:"

Example 2:

Extract field-value pairs and reload field extraction settings from disk.

... | extract reload=true

Example 3:

Extract field-value pairs that are defined in the stanza 'access-extractions' in the transforms.conf file.

... | extract access-extractions

See also

kvform, multikv, rex, spath, xmlkv, xpath

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the extract command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Extract:4.1&oldid=935974"
PREVIOUS
eventstats 		  NEXT
fieldformat

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 6.3.11, 6.3.12, 6.3.13

Comments

How does segment=true change output? I don't notice any differences in my tests.

Mschaaf
July 12, 2018

It would be really, Really, REALLY, **REALLY*** nice if we could use this on other fields besides "_raw"! Please add a new "field=" argument, PLEASE!

Woodcock
May 1, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters