topic How do I parse a key value field in Splunk and search based on values of that field? in Splunk Search

How do I parse a key value field in Splunk and search based on values of that field?

gb0143 — Mon, 14 Aug 2017 17:06:43 GMT

I have a log as follows
14AUG2017_12:54:44.903 3418:13 INFO filename.cpp:200 ID:abc123 contextInfo: [ peer_service: someservice ] object: [ prop1:SOMETHING, prop2:SOMETHING2, prop3:someInt ] otherInfo: [ numEvents:1, dates:[ 01AUG2017 - 01AUG2017 ] otherInfo: [ someOtherInfo:23, someMoreOtherInfo:MID ] ]
How would I extract the "numEvents" field and query based on it. For example, numFields > 10. I intend to eventually extract all the fields and make a dashboard but in order to do that I have to understand how the field extraction works.

Re: How do I parse a key value field in Splunk and search based on values of that field?

somesoni2 — Mon, 14 Aug 2017 17:22:07 GMT

You can add following search time field extraction (using transforms) on your search head(s).

props.conf (on search head)

[YourSourceTypeGoesHere]
REPORT-extractFields = colon_separated_fields

transforms.conf(on search head)

[colon_separated_fields]
REGEX = (\w+)\:([^,\s]+)
FORMAT = $1:$2

This should extract your fields which are separated by colon, which you can use in the base search to filter (index=foo sourucetype=YourSourcetype numEvents>0)

If you want to do it inline in the search, do like this

index=foo sourucetype=YourSourcetype |  extract pairdelim="," kvdelim=":" | where numEvents>0