https://community.splunk.com/t5/Splunk-Search/How-to-translate-mv-field-extraction-from-SPL-to-configuration/m-p/541171#M153197 <P><FONT size="5"><STRONG>Situation</STRONG></FONT><BR />I am trying to parse events with an unrestricted number of key value pairs&nbsp; that might also include empty values at some places. I would like to extract the part between the closing parenthesis and opening square bracket as the field name without spaces (but don't want them replaced by underscores)</P><P>This is an example of such data:</P><P>&nbsp;</P><LI-CODE lang="markup">2021-02-24 10:02:31 Local0 Info 10:02:31:346 VARC-DCM-01.ad.maastro.nl MAASTRO\VARC-DCM-01$|80012|DICOM Service VARC_DCM_SCP_SVC_Export 021556/Export requested for object with key: (0008,0008) Image Type [DERIVED] | (0008,0016) SOP Class UID [1.2.840.10008.5.1.4.1.1.481.1] | (0008,0022) Acquisition Date [20210223] | (0008,0023) Content Date [20210223] | (0008,0032) Acquisition Time [184740.207] | (0008,0033) Content Time [184740.208] | (0008,1150) Referenced SOP Class UID [1.2.840.10008.5.1.4.1.1.481.5] | (0020,0013) Instance Number [1] | (300C,0002) Referenced RT Plan Sequence [Mergecom.MCitem] | (300C,0006) Referenced Beam Number [1] | (300E,0002) Approval Status []</LI-CODE><P>&nbsp;</P><P><FONT size="5"><STRONG>Working solution using SPL</STRONG></FONT></P><P>Using this SPL expression (inspired by the example in&nbsp;<A title="Need to split string with variable number of fields" href="https://community.splunk.com/t5/All-Apps-and-Add-ons/Need-to-split-string-with-variable-number-of-fields/m-p/316340" target="_blank" rel="noopener">this question on multiple field extraction</A>) :</P><P>&nbsp;</P><LI-CODE lang="markup">| eval backup=_raw | rex max_match=0 mode=sed "s/(?:(?:\s\|)?\s)\((?&lt;g&gt;[\da-fA-F]{4}),(?&lt;e&gt;[\da-fA-F]{4})\)\s+(?&lt;k&gt;(?:\w+(?:\s*))+)\[(?&lt;v&gt;[^\]]*)\]/\3=\"\4\",/g" | rex mode=sed "s/\s//g" | extract pairdelim=":," kvdelim="=" | rename backup AS _raw</LI-CODE><P>&nbsp;</P><P>I am able to translate this to my desired outcome:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">Image Type</TD><TD width="50%" height="25px">Derived</TD></TR><TR><TD width="50%" height="25px">SOP Class UID</TD><TD width="50%" height="25px">1.2.840.10008.5.1.4.1.1.481.1</TD></TR><TR><TD width="50%" height="25px">&nbsp;</TD><TD width="50%" height="25px">&nbsp;</TD></TR><TR><TD width="50%" height="25px">Referenced Beam Number</TD><TD width="50%" height="25px">1</TD></TR><TR><TD width="50%" height="25px">Approval Status</TD><TD width="50%" height="25px">&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>Example in SPL (for testing)</STRONG></P><P>Here is a working example to help with testing:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="2021-02-24 10:02:31 Local0 Info 10:02:31:346 VARC-DCM-01.ad.maastro.nl MAASTRO\VARC-DCM-01$|80012|DICOM Service VARC_DCM_SCP_SVC_Export 021556/Export requested for object with key: (0008,0008) Image Type [DERIVED] | (0008,0016) SOP Class UID [1.2.840.10008.5.1.4.1.1.481.1] | (0008,0022) Acquisition Date [20210223] | (0008,0023) Content Date [20210223] | (0008,0032) Acquisition Time [184740.207] | (0008,0033) Content Time [184740.208] | (0008,1150) Referenced SOP Class UID [1.2.840.10008.5.1.4.1.1.481.5] | (0020,0013) Instance Number [1] | (300C,0002) Referenced RT Plan Sequence [Mergecom.MCitem] | (300C,0006) Referenced Beam Number [1] | (300E,0002) Approval Status []" | eval backup=_raw | rex max_match=0 mode=sed "s/(?:(?:\s\|)?\s)\((?&lt;g&gt;[\da-fA-F]{4}),(?&lt;e&gt;[\da-fA-F]{4})\)\s+(?&lt;k&gt;(?:\w+(?:\s*))+)\[(?&lt;v&gt;[^\]]*)\]/\3=\"\4\",/g" | rex mode=sed "s/\s//g" | extract pairdelim=":," kvdelim="=" | rename backup AS _raw</LI-CODE><P>&nbsp;</P><P><FONT size="5"><STRONG>Question</STRONG></FONT></P><P>Now I would like to transfer this to configuration files but I am unsure what to add where.&nbsp;</P><P><BR />I am guessing the regular expression goes in to tokenizer.conf based on <A href="https://community.splunk.com/t5/Getting-Data-In/What-is-the-syntax-for-makemv-delim-quot-quot-when-writing-it-in/m-p/276460" target="_self">this post</A>&nbsp;but not sure when combined with the sed command.</P><P>Normally SED commands I would put the SED commands into the transforms.conf file but how do I prevent them from applying to all evens? The events like the one processed in the example is only a subset of the events in the index and sourcetypes in there.<BR />The pairdelim and kvdelim are overrides to the default ones from the sourcetype configuration, not sure where to put this either.</P><P>Can someone guide me here? Is there some sort of sequence I can configure like the one in SPL to apply to&nbsp; specific events? How would I go about filtering out these events?</P> Wed, 24 Feb 2021 11:23:38 GMT jmartens 2021-02-24T11:23:38Z https://community.splunk.com/t5/Splunk-Search/How-to-translate-mv-field-extraction-from-SPL-to-configuration/m-p/541171#M153197 <P><FONT size="5"><STRONG>Situation</STRONG></FONT><BR />I am trying to parse events with an unrestricted number of key value pairs&nbsp; that might also include empty values at some places. I would like to extract the part between the closing parenthesis and opening square bracket as the field name without spaces (but don't want them replaced by underscores)</P><P>This is an example of such data:</P><P>&nbsp;</P><LI-CODE lang="markup">2021-02-24 10:02:31 Local0 Info 10:02:31:346 VARC-DCM-01.ad.maastro.nl MAASTRO\VARC-DCM-01$|80012|DICOM Service VARC_DCM_SCP_SVC_Export 021556/Export requested for object with key: (0008,0008) Image Type [DERIVED] | (0008,0016) SOP Class UID [1.2.840.10008.5.1.4.1.1.481.1] | (0008,0022) Acquisition Date [20210223] | (0008,0023) Content Date [20210223] | (0008,0032) Acquisition Time [184740.207] | (0008,0033) Content Time [184740.208] | (0008,1150) Referenced SOP Class UID [1.2.840.10008.5.1.4.1.1.481.5] | (0020,0013) Instance Number [1] | (300C,0002) Referenced RT Plan Sequence [Mergecom.MCitem] | (300C,0006) Referenced Beam Number [1] | (300E,0002) Approval Status []</LI-CODE><P>&nbsp;</P><P><FONT size="5"><STRONG>Working solution using SPL</STRONG></FONT></P><P>Using this SPL expression (inspired by the example in&nbsp;<A title="Need to split string with variable number of fields" href="https://community.splunk.com/t5/All-Apps-and-Add-ons/Need-to-split-string-with-variable-number-of-fields/m-p/316340" target="_blank" rel="noopener">this question on multiple field extraction</A>) :</P><P>&nbsp;</P><LI-CODE lang="markup">| eval backup=_raw | rex max_match=0 mode=sed "s/(?:(?:\s\|)?\s)\((?&lt;g&gt;[\da-fA-F]{4}),(?&lt;e&gt;[\da-fA-F]{4})\)\s+(?&lt;k&gt;(?:\w+(?:\s*))+)\[(?&lt;v&gt;[^\]]*)\]/\3=\"\4\",/g" | rex mode=sed "s/\s//g" | extract pairdelim=":," kvdelim="=" | rename backup AS _raw</LI-CODE><P>&nbsp;</P><P>I am able to translate this to my desired outcome:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">Image Type</TD><TD width="50%" height="25px">Derived</TD></TR><TR><TD width="50%" height="25px">SOP Class UID</TD><TD width="50%" height="25px">1.2.840.10008.5.1.4.1.1.481.1</TD></TR><TR><TD width="50%" height="25px">&nbsp;</TD><TD width="50%" height="25px">&nbsp;</TD></TR><TR><TD width="50%" height="25px">Referenced Beam Number</TD><TD width="50%" height="25px">1</TD></TR><TR><TD width="50%" height="25px">Approval Status</TD><TD width="50%" height="25px">&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>Example in SPL (for testing)</STRONG></P><P>Here is a working example to help with testing:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="2021-02-24 10:02:31 Local0 Info 10:02:31:346 VARC-DCM-01.ad.maastro.nl MAASTRO\VARC-DCM-01$|80012|DICOM Service VARC_DCM_SCP_SVC_Export 021556/Export requested for object with key: (0008,0008) Image Type [DERIVED] | (0008,0016) SOP Class UID [1.2.840.10008.5.1.4.1.1.481.1] | (0008,0022) Acquisition Date [20210223] | (0008,0023) Content Date [20210223] | (0008,0032) Acquisition Time [184740.207] | (0008,0033) Content Time [184740.208] | (0008,1150) Referenced SOP Class UID [1.2.840.10008.5.1.4.1.1.481.5] | (0020,0013) Instance Number [1] | (300C,0002) Referenced RT Plan Sequence [Mergecom.MCitem] | (300C,0006) Referenced Beam Number [1] | (300E,0002) Approval Status []" | eval backup=_raw | rex max_match=0 mode=sed "s/(?:(?:\s\|)?\s)\((?&lt;g&gt;[\da-fA-F]{4}),(?&lt;e&gt;[\da-fA-F]{4})\)\s+(?&lt;k&gt;(?:\w+(?:\s*))+)\[(?&lt;v&gt;[^\]]*)\]/\3=\"\4\",/g" | rex mode=sed "s/\s//g" | extract pairdelim=":," kvdelim="=" | rename backup AS _raw</LI-CODE><P>&nbsp;</P><P><FONT size="5"><STRONG>Question</STRONG></FONT></P><P>Now I would like to transfer this to configuration files but I am unsure what to add where.&nbsp;</P><P><BR />I am guessing the regular expression goes in to tokenizer.conf based on <A href="https://community.splunk.com/t5/Getting-Data-In/What-is-the-syntax-for-makemv-delim-quot-quot-when-writing-it-in/m-p/276460" target="_self">this post</A>&nbsp;but not sure when combined with the sed command.</P><P>Normally SED commands I would put the SED commands into the transforms.conf file but how do I prevent them from applying to all evens? The events like the one processed in the example is only a subset of the events in the index and sourcetypes in there.<BR />The pairdelim and kvdelim are overrides to the default ones from the sourcetype configuration, not sure where to put this either.</P><P>Can someone guide me here? Is there some sort of sequence I can configure like the one in SPL to apply to&nbsp; specific events? How would I go about filtering out these events?</P> Wed, 24 Feb 2021 11:23:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-translate-mv-field-extraction-from-SPL-to-configuration/m-p/541171#M153197 jmartens 2021-02-24T11:23:38Z https://community.splunk.com/t5/Splunk-Search/How-to-translate-mv-field-extraction-from-SPL-to-configuration/m-p/541256#M153242 <P>Take a look at my response on this post.&nbsp;&nbsp;</P><P><A href="https://community.splunk.com/t5/Splunk-Search/To-Rex-or-not-to-rex/m-p/459516#M129688" target="_blank">https://community.splunk.com/t5/Splunk-Search/To-Rex-or-not-to-rex/m-p/459516#M129688</A></P><P>I used this on a source where the Key Value pairs was not consistent.&nbsp; This should allow you to dynamically extract the Key Values from whatever gets</P> Wed, 24 Feb 2021 18:32:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-translate-mv-field-extraction-from-SPL-to-configuration/m-p/541256#M153242 kmorris_splunk 2021-02-24T18:32:03Z