https://community.splunk.com/t5/Splunk-Dev/Extract-fields-fomr-Python-Dictionary-text-file/m-p/108292#M1605 <P>How do I create an extract that handles variable numbers of fields.</P> <P>I am generating events that are time stamped Python dictionaries. The list of items are emitted to the event using Python logging where everything in curly brackets was from a single Python dictionary. The dictionary is rendered using built-in rend(d) where d is a dict. The list of items in the {} brackets are variable, and the order of items is arbitrary.</P> <P>2013/07/18 19:51:00.090 UTC [DssSplunkHostAgent] INFO: {'rtime': 31556.303133832, 'ABI': 32, 'egid': 20000, 'uid': 101, 'mrcv': 0, 'pctcpu': 0.0, 'pctmem': 0.5523681640625, 'args': 'python -W ignore::DeprecationWarning -m DssCore', 'pid': 9452, 'Taskname': 'DssCore', 'start': datetime.datetime(2013, 7, 18, 11, 5, 5, 785854), 'gid': 20000, 'euid': 101, 'fname': 'python', 'time': 1.244510313, 'oublk': 0, 'dmodel': 1, 'inblk': 0, 'ppid': 9289, 'msnd': 0, 'ctime': 256.16}</P> Fri, 26 Jul 2013 22:52:13 GMT Claw 2013-07-26T22:52:13Z https://community.splunk.com/t5/Splunk-Dev/Extract-fields-fomr-Python-Dictionary-text-file/m-p/108292#M1605 <P>How do I create an extract that handles variable numbers of fields.</P> <P>I am generating events that are time stamped Python dictionaries. The list of items are emitted to the event using Python logging where everything in curly brackets was from a single Python dictionary. The dictionary is rendered using built-in rend(d) where d is a dict. The list of items in the {} brackets are variable, and the order of items is arbitrary.</P> <P>2013/07/18 19:51:00.090 UTC [DssSplunkHostAgent] INFO: {'rtime': 31556.303133832, 'ABI': 32, 'egid': 20000, 'uid': 101, 'mrcv': 0, 'pctcpu': 0.0, 'pctmem': 0.5523681640625, 'args': 'python -W ignore::DeprecationWarning -m DssCore', 'pid': 9452, 'Taskname': 'DssCore', 'start': datetime.datetime(2013, 7, 18, 11, 5, 5, 785854), 'gid': 20000, 'euid': 101, 'fname': 'python', 'time': 1.244510313, 'oublk': 0, 'dmodel': 1, 'inblk': 0, 'ppid': 9289, 'msnd': 0, 'ctime': 256.16}</P> Fri, 26 Jul 2013 22:52:13 GMT https://community.splunk.com/t5/Splunk-Dev/Extract-fields-fomr-Python-Dictionary-text-file/m-p/108292#M1605 Claw 2013-07-26T22:52:13Z https://community.splunk.com/t5/Splunk-Dev/Extract-fields-fomr-Python-Dictionary-text-file/m-p/108293#M1606 <P>Here is a very clean answer. It assumes that the sourcetype is called python dictionary. Change this to meet your needs.</P> <P>The oddball issue here is the "start" field so we set up automated extractions for every thing else using DELIMS and handle the exceptions with regular extracts.</P> <P>Props.conf</P> <P>[pythondictionary]<BR /> EXTRACT-PD_MessageLevel = (?i)[.<EM>?] (?P<PD_MESSAGELEVEL>\w+)(?=:)<BR /> EXTRACT-PD_Agent = (?i)^[^[]</PD_MESSAGELEVEL></EM>[(?P<PD_AGENT>[^]]+)<BR /> REPORT-pythondictionary = PD-Extract<BR /> EXTRACT-PD_Message = {(?P<PD_MESSAGE>.+)(?=})<BR /> EXTRACT-start = \'start\':\s(?<START>.*?),\s\'</START></PD_MESSAGE></PD_AGENT></P> <P>Transforms.conf</P> <P>[PD-Extract]<BR /> SOURCE_KEY = PD_Message<BR /> DELIMS = ",", ":"</P> <P>Kudos for this solution goes to Dritan Bitincka in Splunk ps.</P> Mon, 28 Sep 2020 14:26:41 GMT https://community.splunk.com/t5/Splunk-Dev/Extract-fields-fomr-Python-Dictionary-text-file/m-p/108293#M1606 Claw 2020-09-28T14:26:41Z