https://community.splunk.com/t5/Splunk-Search/Extracting-one-field-into-multiple-fields/m-p/363468#M107320 <P>I have some data that looks similar to the following:</P> <PRE><CODE>{ Name: Record1 Tags: [ { Key: Tag1 Value: Value1 } { Key: Tag2 Value: Value2 } { Key: Tag3 Value: Value3 } ] } </CODE></PRE> <P>I am trying to create output table that looks like the following:</P> <PRE><CODE>Name Tag1 Tag2 Tag3 ------------------------------- Record1 Value1 Value2 Value3 </CODE></PRE> <P>What have been trying to do so far is pathing into Tags and them combining them into one value, like so:</P> <P>... | spath tags=Tags{} output=Tags | nomv Tags</P> <P>This gives me one field with all the values that look like this:</P> <PRE><CODE> {Key:Tag1,Value:Value1}{Key:Tag2,Value:Value2}{Key:Tag3,Value:Value3} </CODE></PRE> <P>I'm thinking what I need to do next is a foreach statement to extract those values into an eval field, but can't quite seem to get it. Keep in mind I don't know what the Tags will be actually named, what their value will be, or how many there are for any given record. </P> <P>Any suggestions would be appreciated. Or if there is an easier way to accomplish this, I am open to anything. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks!</P> Mon, 19 Mar 2018 13:32:01 GMT BearMormont 2018-03-19T13:32:01Z https://community.splunk.com/t5/Splunk-Search/Extracting-one-field-into-multiple-fields/m-p/363468#M107320 <P>I have some data that looks similar to the following:</P> <PRE><CODE>{ Name: Record1 Tags: [ { Key: Tag1 Value: Value1 } { Key: Tag2 Value: Value2 } { Key: Tag3 Value: Value3 } ] } </CODE></PRE> <P>I am trying to create output table that looks like the following:</P> <PRE><CODE>Name Tag1 Tag2 Tag3 ------------------------------- Record1 Value1 Value2 Value3 </CODE></PRE> <P>What have been trying to do so far is pathing into Tags and them combining them into one value, like so:</P> <P>... | spath tags=Tags{} output=Tags | nomv Tags</P> <P>This gives me one field with all the values that look like this:</P> <PRE><CODE> {Key:Tag1,Value:Value1}{Key:Tag2,Value:Value2}{Key:Tag3,Value:Value3} </CODE></PRE> <P>I'm thinking what I need to do next is a foreach statement to extract those values into an eval field, but can't quite seem to get it. Keep in mind I don't know what the Tags will be actually named, what their value will be, or how many there are for any given record. </P> <P>Any suggestions would be appreciated. Or if there is an easier way to accomplish this, I am open to anything. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks!</P> Mon, 19 Mar 2018 13:32:01 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-one-field-into-multiple-fields/m-p/363468#M107320 BearMormont 2018-03-19T13:32:01Z https://community.splunk.com/t5/Splunk-Search/Extracting-one-field-into-multiple-fields/m-p/363469#M107321 <P>Try using transforms and extract keys and values into different groups.</P> <P>Enable multi value for the transforms</P> <P><CODE><BR /> [keyvaluepairs]<BR /> REGEX = \{\"key\"\:\"([^\"]+)\",\"value\"\:\"([^\"]+)<BR /> FORMAT=$1::$2<BR /> </CODE></P> <P>and use above transforms like below in search</P> <P><CODE>search | extract keyvaluepairs</CODE></P> Tue, 20 Mar 2018 23:14:26 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-one-field-into-multiple-fields/m-p/363469#M107321 kyaparla 2018-03-20T23:14:26Z