<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic field extractions transforms in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/field-extractions-transforms/m-p/509565#M86676</link>
    <description>&lt;P&gt;Hi,&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;I am unable to figure out a regex that matches the key value pairs of my data , I think the transforms.conf regex and format would help here.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;I am posting a sample event.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT color="#FF0000"&gt;SAEGW-SGW10,sdfsd-sdfafsadf:1,sdafsdf:3,asdfsdf:3,dsfgdsfgretewq:0&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;It is just a FIELD_NAME:FIELD_VALUE pair. Just the first word of the event does not have a value associated with it.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have tried this&amp;nbsp;([^\:]+)\:([^\,]+)\, but this not 100% accurate . Looking for more accuracy.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Thu, 16 Jul 2020 18:32:44 GMT</pubDate>
    <dc:creator>nawazns5038</dc:creator>
    <dc:date>2020-07-16T18:32:44Z</dc:date>
    <item>
      <title>field extractions transforms</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/field-extractions-transforms/m-p/509565#M86676</link>
      <description>&lt;P&gt;Hi,&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;I am unable to figure out a regex that matches the key value pairs of my data , I think the transforms.conf regex and format would help here.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;I am posting a sample event.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT color="#FF0000"&gt;SAEGW-SGW10,sdfsd-sdfafsadf:1,sdafsdf:3,asdfsdf:3,dsfgdsfgretewq:0&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;It is just a FIELD_NAME:FIELD_VALUE pair. Just the first word of the event does not have a value associated with it.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have tried this&amp;nbsp;([^\:]+)\:([^\,]+)\, but this not 100% accurate . Looking for more accuracy.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 16 Jul 2020 18:32:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/field-extractions-transforms/m-p/509565#M86676</guid>
      <dc:creator>nawazns5038</dc:creator>
      <dc:date>2020-07-16T18:32:44Z</dc:date>
    </item>
    <item>
      <title>Re: field extractions transforms</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/field-extractions-transforms/m-p/509582#M86679</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;&lt;P&gt;Do you mean that there is&lt;/P&gt;&lt;P&gt;Field name + possible value separated by : and those pairs is always separated by , ?&lt;/P&gt;&lt;P&gt;r. Ismo&lt;/P&gt;</description>
      <pubDate>Thu, 16 Jul 2020 19:32:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/field-extractions-transforms/m-p/509582#M86679</guid>
      <dc:creator>isoutamo</dc:creator>
      <dc:date>2020-07-16T19:32:09Z</dc:date>
    </item>
  </channel>
</rss>

