Hi,
Well, there must be a really easy answer for this, but I seem to be mentally blocked. :-)
So if I have field after a search that contains a string with regular key/value syntax, but I don't know what keys will be there, how can I extract those keys into actual Splunk fields?
E.g.
... | eval bla="gc_bla=bla gc_hsg=1234 gc_foo=bar" | ...
How do I get gc_bla, gc_hsg and gc_foo as fields in Splunk that I can work with?
I figured out how to do it with extract and something in transforms.conf, but I expect there is a more straight forward way?
↧