topic Re: separate semicolon and create table in Splunk Enterprise

How to separate semicolon and create table?

padrsri — Wed, 08 Mar 2023 20:32:00 GMT

The search table is empty other than _time for message. Can you please advise how to disable kay values in table.

Sample message

{
"timestamp": "2023-03-05 19:06:43,978+0000",
"level": "INFO",
"location": "request:201",
"message": "CSSRequestId=12312311-sdgdgdbbsaas;ProcessingRegion=us-east-1;RequestStatus=Completed;Platform=;RequestId=12312311-869a-3932-97d1-sdgdgdbbsaas--123123;ResponseStatusCode=200;PlatformBuckets=['e1--application','e2-application'];DestKey=Dev/20/03/05/14/01-01-0-File.xml;Source=external;SourceKey=abcded/xyz/file.xml;",
"service": "gwy",
"cold_start": true,
"function_name": "GWY-IB",
"function_memory_size": "208",
"function_arn": "arn:aws:us-east-3:ib",
"function_request_id": "xxxxxxxxxxxxxx",
"xray_trace_id": "1-xxxxxxxx"
}

Search index:

index="text" RequestStatus RequestID | table RequestStatus, RequestID,PlatformBuckets,ResponseStatusCode _time

index="text" RequestStatus RequestID | rex "RequestStatus = (?<RequestStatus>\S+)" | rex "RequestID = ?[\S+](?<RequestID>[\S+]*)" | table RequestStatus, RequestID,PlatformBuckets,ResponseStatusCode _time

Re: separate semicolon and create table

richgalloway — Wed, 08 Mar 2023 19:59:37 GMT

When table fields are blank it's almost always because the field is null (other times it's an empty string). In this case, the fields are null because the rex commands don't match the data and because 2 fields in the table command are not extracted. When creating regular expressions for the rex command, spaces and case are very significant.

Try this query

index="test RequestId RequestStatus | rex "RequestStatus=(?<RequestStatus>\w+)" | rex "RequestId=(?<RequestID>[^;]*)" | rex "PlatformBuckets=(?<PlatformBuckets>[^;]+)" | rex "ResponseStatusCode=(?<ResponseStatusCode>\d+)" | table RequestStatus, RequestID,PlatformBuckets,ResponseStatusCode _time

Re: separate semicolon and create table

padrsri — Wed, 08 Mar 2023 20:21:47 GMT

Thank you for quick response. Since all key’s/values are separating with semicolon without any space (e.g., Key1=TestValue;Key1=TestValue2; is there any generic function. Thank you for your help.

message sample

Key1=TestValue;Key1=TestValue2;Key3=TestValue3;

Re: separate semicolon and create table

richgalloway — Thu, 09 Mar 2023 01:06:16 GMT

The extract command will handle the case where all values are separated by the same set of delimiters.

| extract pairdelim=";" kvdelim="="

That is not the case in your example data, however. Only the message field has those delimiters and the extract command only works on _raw. That's why I used rex, instead.

Re: separate semicolon and create table

padrsri — Thu, 09 Mar 2023 21:33:30 GMT

Thank you for quick response. pairdelim, kvdelim is not working. Since we have multiple key, values , is there any way to create template or some other process?