topic How to handle fieldname=name, fieldvalue=value in Getting Data In

How to handle fieldname=name, fieldvalue=value

mikedgibson — Wed, 14 May 2014 20:47:34 GMT

I currently have data that I want to extract fields from that looks like this

fieldname1=name1, fieldvalue1=value1, fieldname2=name2, fieldvalue2=value2

I want to extract the fields and make it look like this.

name1=value1
name2=value2

Is this possible with Splunk through modifications to the props.conf and transforms.conf?

Thanks.

Re: How to handle fieldname=name, fieldvalue=value

Ayn — Wed, 14 May 2014 20:57:42 GMT

Sure, you can define your own key/value extraction transforms. Something like this should do it:

props.conf:

[yoursourcetype]
REPORT-fieldkv = fieldkv

transforms.conf:

[fieldkv]
REGEX = fieldname\d+=([^,]+), fieldvalue\d+=([^,]+)
FORMAT = $1::$2

Re: How to handle fieldname=name, fieldvalue=value

mikedgibson — Wed, 14 May 2014 21:12:40 GMT

Thanks. Sorry, I messed up my sample a little bit. It could look like this.

field name1=name 1 field value1=value 1 field name2=name 2 field value2=value2

It is using space delimiters (not commas) and unfortunately the field names and values can have spaces and I can't control the order of the fields other than to know field 1 value always follows field 1 name.

I only have basic regex experience and not sure if there is anything that can cover that.

Re: How to handle fieldname=name, fieldvalue=value

martin_mueller — Thu, 15 May 2014 00:51:24 GMT

You might be able to adapt the extraction like this:

REGEX = field name\d+=([^=]+?) field value\d+=(([^=]+?)(?= field name\d+)|(.*))

That's assuming the event ends after the last field.
Look for the field name, grab that, look for the field value, grab that until the start of the next field or grab until the end if there's no other field name coming.

Note, and that's a big note, extracting data like this is quite fragile.