topic Re: How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"? in Splunk Search

How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"?

isabellechristo — Tue, 29 Sep 2020 17:20:10 GMT

Hello,

I have _raw data like this:
time , name="AAAAAA",first_name="BBBBB"

When I look with table I saw this :

_time                name                    first_name
12/20/2017    name="AAAAA"   first_name="BBBBB"

How can I have the output result in showing the fields this way instead:

_time                name                    first_name
12/20/2017    "AAAAA"                 "BBBBB"

Thank you for your help

Re: How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"?

richgalloway — Wed, 20 Dec 2017 21:58:48 GMT

It's probably something simple like adding kv_mode = auto to your props.conf file. We could help more if you would share the props.conf settings for that sourcetype.

Re: How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"?

msivill_splunk — Wed, 20 Dec 2017 22:03:46 GMT

Standalone example using rex and overwriting existing field values

| makeresults 
| eval name = "name=\"AAAA\"" 
| eval first_name = "first_name=\"BBBB\"" 
| rex field=name "name=(?<name>.*)" 
| rex field=first_name "first_name=(?<first_name>.*)"

Standalone example showing further field extractions with rex (in case you wanted to remove the quotes)

| makeresults 
| eval name = "name=\"AAAA\"" 
| eval first_name = "first_name=\"BBBB\"" 
| rex field=name "name=(?<name2>.*)" 
| rex field=name "name=\"(?<name3>.*)\"" 
| rex field=first_name "first_name=(?<first_name2>.*)" 
| rex field=first_name "first_name=\"(?<first_name3>.*)\""

Re: How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"?

lukas_loder — Wed, 20 Dec 2017 22:04:43 GMT

If you use it only once you can try it with this command

| rex field=_raw "name=\"(?<name>[^\"].+)\",first_name=\"(?<first_name>[^\"].+)\""

If you are using it more then one. Try to extract new fields with the field extractor. There you can also use the regex from above.

Re: How can I extract these fields to have a table output with the field value (AAAAA) rather than name="AAAAA"?

nickhills — Wed, 20 Dec 2017 22:09:13 GMT

To quickly fix this, so you can render your table correctly try:

<your search>|rex field=name "name=(?<newname>.*)"|rex field=first_name "first_name=(?<newfirst_name>.*)"|table _time newname newfirst_name

However as @richgalloway points out - you should probably fix this in props.conf