Configure automatic key-value field extraction
Automatic key-value field extraction is a search-time field extraction configuration that uses the KV_MODE
attribute to automatically extract fields for events associated with a specific host, source, or source type. Configure automatic key-value field extractions by finding or creating the appropriate stanza in props.conf
. You can find props.conf
in $SPLUNK_HOME/etc/system/local/
or your own custom app directory in $SPLUNK_HOME/etc/apps/
.
Automatic key-value field extraction is not explicit. You cannot configure it to find a specific field or set of fields. It looks for key-value patterns in events and extracts them as field/value pairs. You can configure it to extract fields from structured data formats like JSON, CSV, and from table-formatted events. Automatic key-value field extraction cannot be configured in Splunk Web, and cannot be used for index-time field extractions.
Automatic key-value field extraction and the sequence of search operations
Search-time operation order
In the sequence of search operations, automatic key-value field extraction occurs after transform extractions and before field aliasing.
Restrictions
Splunk software processes automatic key-value field extractions in the order that it finds them in events.
For more information
See search time operations sequence.
Automatic key-value field extraction format
The following is the format for autoKV field extraction.
KV_MODE = [none|auto|auto_escaped|multi|json|xml]
KV_MODE value | Description |
---|---|
none
|
Disables field extraction for the source, source type, or host identified by the stanza name. Use this setting to ensure that other regular expressions that you create are not overridden by automatic field/value extraction for a particular source, source type, or host. Use this setting to increase search performance by disabling extraction for common but nonessential fields. We have some field extraction examples at the end of this topic that demonstrate the disabling of field extraction in different circumstances. |
auto
|
This is the default field extraction behavior if you do not include this attribute in your field extraction stanza. Extracts field/value pairs and separates them with equal signs. |
auto_escaped
|
Extracts field/value pairs and separates them with equal signs, and ensures that Splunk Enterprise recognizes \" and \\ as escaped sequences within quoted values. For example: field="value with \"nested\" quotes" .
|
multi
|
Invokes the multikv search command, which extracts field values from table-formatted events.
|
xml
|
Use this setting to use the field extraction stanza to extract fields from XML data. This mode does not extract non-XML data. |
json
|
Use this setting to use the field extraction stanza to extract fields from JSON data. This mode does not extract non-JSON data.
|
When KV_MODE
is set to auto
or auto_escaped
, automatic JSON field extraction can take place alongside other automatic key/value field extractions. To disable JSON field extraction when KV_MODE
is set to auto
or auto_escaped
, add AUTO_KV_JSON=false
to the stanza. When not set, AUTO_KV_JSON
defaults to true
.
AUTO_KV_JSON = false
applies only when KV_MODE = auto
or auto_escaped
. Setting AUTO_KV_JSON = false
when KV_MODE
is set to none
, multi
, json
, or xml
has no effect.
Disabling automatic extractions for specific sources, source types, or hosts
You can disable automatic search-time field extraction for specific sources, source types, or hosts in props.conf
. Add KV_MODE = none
for the appropriate [<spec>]
in props.conf
. When automatic key-value field extraction is disabled, explicit field extraction still takes place.
Custom field extractions set up manually via the configuration files or Splunk Web will still be processed for the affected source, source type, or host when KV_MODE = none
.
[<spec>] KV_MODE = none
<spec>
can be:
<sourcetype>
, where<sourcetype>
is the event source type.host::<host>
, where<host>
is the host for an event.source::<source>
, where<source>
is the source for an event.
Configure advanced extractions with field transforms | Example inline field extraction configurations |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2
Feedback submitted, thanks!