Normally Splunk will pull key-value pairs out automatically
However, when it doesn’t, go try your regular expression(s) on regex101 – the field extractor is often a good[ish] start, but rarely creates efficient (or complete) regular expressions
An inline version of this would be as follows (presuming the "value" half of the key-value pair is contiguous characters):
| rex field=_raw "k1=(?<k1>\S+)\s+k2=(?<k2>\S+)\s+k3=(?<k3>\S+)\s+k4=(?<k4>\S+)\s+k5=(?<k5>\S+)"
Normally I prefer to do sequential rex calls, in case something’s out of order or missing, but if your data’s consistent, this will work
Once you have it the way you want it, update your props.conf and transforms.conf as appropriate for the sourcetype
from User warren – Stack Overflow https://stackoverflow.com/questions/72965208/splunk-field-extractor-unable-to-extract-all-values/72966267#72966267
via IFTTT