https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21687#M734 <P>I don't think you can use DELIMS to do this because as you've noted it doesn't work well when one of your delimiters shows up in a key or value field. I had to solve this by using a REGEX instead, see: <A href="http://splunk-base.splunk.com/answers/34550/help-with-regex-to-separate-keyvalue-pairs-with-a-character-sequence">http://splunk-base.splunk.com/answers/34550/help-with-regex-to-separate-keyvalue-pairs-with-a-character-sequence</A></P> <P>in your case you would want to craft a regex that captures into two capture groups, group 1 is the key and group 2 is the value.<BR /><BR /> REGEX = To be created<BR /> FORMAT = $1::$2</P> <P>i will try to figure out the regex, but my regex-fu is of a medium level so hopefully someone will beat me to it.</P> Wed, 23 Nov 2011 17:30:18 GMT tpsplunk 2011-11-23T17:30:18Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21686#M733 <P>Given the event (output from Cisco ASA 'show vpn-sessiondb full svc' command)...</P> <P>Session ID: 33397 | EasyVPN: 0 | Username: <A href="mailto:user@company.com">user@company.com</A> | Group: VPN-User | Tunnel Group: WebVPN-AD-Authentication | IP Addr: 192.168.1.1 | Public IP: 184.151.1.1 | Protocol: Clientless SSL-Tunnel DTLS-Tunnel | License: SSL VPN | Session Subtype: With client | Encryption: RC4 AES128 | Login Time: 15:35:44 EST Tue Nov 22 2011 | Duration: 0h:00m:35s | Inactivity: 0h:00m:00s | Bytes Tx: 20277 | Bytes Rx: 19574 | NAC Result: Unknown | Posture Token: | VLAN Mapping: N/A | VLAN: 0 ||</P> <P>... I am able to extract the key-value pairs using:</P> <P>**props.conf<BR /> [vpnsessiondata]<BR /><BR /> DATETIME_CONFIG=CURRENT<BR /><BR /> REPORT-sessiondata=sessiondata</P> <P>**transforms.conf<BR /><BR /> [sessiondata]<BR /><BR /> DELIMS = "|", ":"</P> <P>The problem during searches is that a field is ignored if the character delimiting the key from the value (":" in this case) is also contained within the value (any time value for instance).</P> <P>How can I deal with this?</P> <P>Thanks! Jeff</P> Wed, 23 Nov 2011 16:42:45 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21686#M733 jkloet 2011-11-23T16:42:45Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21687#M734 <P>I don't think you can use DELIMS to do this because as you've noted it doesn't work well when one of your delimiters shows up in a key or value field. I had to solve this by using a REGEX instead, see: <A href="http://splunk-base.splunk.com/answers/34550/help-with-regex-to-separate-keyvalue-pairs-with-a-character-sequence">http://splunk-base.splunk.com/answers/34550/help-with-regex-to-separate-keyvalue-pairs-with-a-character-sequence</A></P> <P>in your case you would want to craft a regex that captures into two capture groups, group 1 is the key and group 2 is the value.<BR /><BR /> REGEX = To be created<BR /> FORMAT = $1::$2</P> <P>i will try to figure out the regex, but my regex-fu is of a medium level so hopefully someone will beat me to it.</P> Wed, 23 Nov 2011 17:30:18 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21687#M734 tpsplunk 2011-11-23T17:30:18Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21688#M735 <P>Not sure whether this will work, but give it a try.</P> <P><CODE>transforms.conf<BR /> [sessiondata]<BR /> DELIMS = "|", ": "</CODE></P> <P>Notice the space after <CODE>:</CODE> in <CODE>DELIMS</CODE></P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Wed, 23 Nov 2011 17:35:08 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21688#M735 _d_ 2011-11-23T17:35:08Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21689#M736 <P>That would be nice however the documentation says:</P> <P>[multiple_delims]<BR /> DELIMS = "|;", "=:"</P> <P>*The above example extracts key-value pairs which are separated by '|' or ';'.<BR /> *while the key is delimited from value by '=' or ':'.</P> Wed, 23 Nov 2011 17:47:14 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21689#M736 jkloet 2011-11-23T17:47:14Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21690#M737 <P>OK, in that case then try something like this using your transforms stanza:</P> <P><CODE>transforms.conf <BR /> [sessiondata] <BR /> REGEX = ([^\|]+):\s([^\|]+)<BR /> FORMAT = $1::$2</CODE></P> <P>REGEX reads "anything that is not a pipe, followed by a colon, followed by a space, followed by a pipe, followed by anything that is not a pipe.</P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Wed, 23 Nov 2011 18:04:02 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21690#M737 _d_ 2011-11-23T18:04:02Z https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21691#M738 <P>That works as needed... thanks!! Jeff</P> Wed, 23 Nov 2011 18:40:09 GMT https://community.splunk.com/t5/Security/Key-value-pair-extraction/m-p/21691#M738 jkloet 2011-11-23T18:40:09Z