https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745044#M11903 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309365">@kunalsingh</a>&nbsp;</P><P>Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.</P><PRE>==props.conf==<BR />[your_sourcetype] # Replace your_sourcetype with the actual sourcetype of your data REPORT-kv_pairs = extract_custom_kv<BR /><BR />==transforms.conf==<BR />[extract_custom_kv] REGEX = ([^=\^]+)=([^\^]*) FORMAT = $1::$2 MV_ADD = true</PRE><P>This configuration defines a field extraction named extract_custom_kv.</P><UL><LI>REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.</LI><LI>([^=\^]+) captures the key (any character except = or ^).</LI><LI>= matches the literal equals sign.</LI><LI>([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.</LI><LI>FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.</LI><LI>MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.</LI></UL><P>Check a working example at&nbsp;<A href="https://regex101.com/r/yAjRVa/1" target="_blank" rel="noopener">https://regex101.com/r/yAjRVa/1</A></P><P>This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\<EM>]</EM>), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].</P><P>&nbsp;</P><DIV><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span> <STRONG>Did this answer help you?</STRONG> If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P></DIV> Sat, 26 Apr 2025 21:13:32 GMT livehybrid 2025-04-26T21:13:32Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/744894#M11901 <P>I have used this regex -</P><PRE><SPAN class="">\^</SPAN><SPAN class="">(</SPAN><SPAN class=""><SPAN class="">[</SPAN><SPAN class="">^</SPAN>=<SPAN class="">]</SPAN></SPAN><SPAN class="">+</SPAN><SPAN class="">)</SPAN>=<SPAN class="">(</SPAN><SPAN class=""><SPAN class="">[</SPAN><SPAN class="">^</SPAN>^<SPAN class="">]</SPAN></SPAN><SPAN class="">*</SPAN><SPAN class="">)</SPAN></PRE><PRE>Apr 23 21:43:22 3.111.9.101 CEF:0|Seqrite|EPS|5.2.1.0|Data Loss Prevention Event|^|channelType=Applications/Online Services^domainName=AVOTRIXLABS^endpointName=ALEI5-ANURAGR^groupName=Default^channelDetail=Microsoft OneDrive Client^documentName=^filePath=C:\Users\anurag.rathore.AVOTRIXLABS\OneDrive - Scanlytics Technology\Documents\git\splunk_prod\deployment-apps\Fleet_Management_Dashboard\appserver\static\fontawesome-free-6.1.1-web\svgs\solid\flask-vial.svg^macID1=9C-5A-44-0A-26-5B^status=Success^subject=^actionId=Skipped^printerName=^recipientList=^serverDateTime=Wed Apr 23 16:13:57 UTC 2025^matchedItem=Visa^sender=^contentType=Confidential Data^dataId=Client Application^incidentOn=Wed Apr 23 16:07:38 UTC 2025^ipAddressFromClient=***.***.*.16^macID2=00-FF-58-34-31-0E^macID3=B0-FC-36-CA-1C-73^userName=anurag.rathore&nbsp;<BR /><BR /></PRE><P>it is able to extract all field correctly Except a few fields .<BR />Here documentName should be empty but it is showing this on search time.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 586px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/38730i461A916C88519487/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span>&nbsp;</P> Thu, 24 Apr 2025 10:46:33 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/744894#M11901 kunalsingh 2025-04-24T10:46:33Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745039#M11902 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309365">@kunalsingh</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">\^([^\=]+)=([^\^]*)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Sat, 26 Apr 2025 16:21:52 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745039#M11902 gcusello 2025-04-26T16:21:52Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745044#M11903 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309365">@kunalsingh</a>&nbsp;</P><P>Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.</P><PRE>==props.conf==<BR />[your_sourcetype] # Replace your_sourcetype with the actual sourcetype of your data REPORT-kv_pairs = extract_custom_kv<BR /><BR />==transforms.conf==<BR />[extract_custom_kv] REGEX = ([^=\^]+)=([^\^]*) FORMAT = $1::$2 MV_ADD = true</PRE><P>This configuration defines a field extraction named extract_custom_kv.</P><UL><LI>REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.</LI><LI>([^=\^]+) captures the key (any character except = or ^).</LI><LI>= matches the literal equals sign.</LI><LI>([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.</LI><LI>FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.</LI><LI>MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.</LI></UL><P>Check a working example at&nbsp;<A href="https://regex101.com/r/yAjRVa/1" target="_blank" rel="noopener">https://regex101.com/r/yAjRVa/1</A></P><P>This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\<EM>]</EM>), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].</P><P>&nbsp;</P><DIV><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span> <STRONG>Did this answer help you?</STRONG> If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P></DIV> Sat, 26 Apr 2025 21:13:32 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745044#M11903 livehybrid 2025-04-26T21:13:32Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745047#M11904 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/309365">@kunalsingh</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 27 Apr 2025 07:41:34 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Fields-Extraction/m-p/745047#M11904 gcusello 2025-04-27T07:41:34Z