https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456114#M170527 <P>Hi,</P> <P>You can achieve this using regular expression in props and transforms to extract field and value at search time.</P> <P>On Search Head<BR /> props.conf</P> <PRE><CODE>[yourSourceType] REPORT-test = extract_session_kv </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract_session_kv] CLEAN_KEYS = 0 FORMAT = $1::$2 REGEX = Session_Variable_Name\=\"([^"]+)\"\,Session_Variable_Value\=\"([^"]+)\" </CODE></PRE> Thu, 04 Jul 2019 08:21:19 GMT harsmarvania57 2019-07-04T08:21:19Z https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456113#M170526 <P>I'm looking to dynamically extract both the field name and the associated value from a data source. Essentially, the field name is a session variable on F5 and these variables can be added and removed at will. So statically trying to regex the field extraction and field name would be impossible. Here is a data sample</P> <PRE><CODE>hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.end",Session_Variable_Value="Nov 26 22:14:03 2020 GMT" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.exist",Session_Variable_Value="1" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.issuer",Session_Variable_Value="DC=local, DC=cloudmegalodon, CN=cloudmegalodon-CMDC1-CA" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.serial",Session_Variable_Value="59:00:00:00:09:21:54:f7:30:0b:fd:f7:9f:00:00:00:00:00:09" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.start",Session_Variable_Value="Nov 27 22:14:03 2018 GMT" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.subject",Session_Variable_Value="DC=local, DC=cloudmegalodon, OU=OrgUsers, CN=TINA F. OLSON.1468013579" hostname="ip-10-1-1-49.us-gov-west-1.compute.internal",errdefs_msgno="01490007:6:",partition_name="Common",session_id="c3da4e31",Access_Profile="/Common/testPolicy1",Partition="Common",Session_Id="c3da4e31",Session_Variable_Name="session.ssl.cert.valid",Session_Variable_Value="0" </CODE></PRE> <P>I want to take for example <CODE>Session_Variable_Name="session.ssl.cert.serial",Session_Variable_Value="59:00:00:00:09:21:54:f7:30:0b:fd:f7:9f:00:00:00:00:00:09"</CODE><BR /> and make session.ssl.cert.serial the field name and 59:00:00:00:09:21:54:f7:30:0b:fd:f7:9f:00:00:00:00:00:09 the field value.</P> <P>I have not been able to get this to work with kv pairdelim and kvdelim. Maybe there is a better way to do this. Open to any and all ideas!</P> <P>Here is the search I'm working with now</P> <PRE><CODE>index="test_f5" sourcetype="f5_syslog_splunk" | kv pairdelim="Session_Variable_Name\r\n" kvdelim="\",Session_Variable_Value=\"" </CODE></PRE> Wed, 03 Jul 2019 19:39:39 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456113#M170526 jspigler2010 2019-07-03T19:39:39Z https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456114#M170527 <P>Hi,</P> <P>You can achieve this using regular expression in props and transforms to extract field and value at search time.</P> <P>On Search Head<BR /> props.conf</P> <PRE><CODE>[yourSourceType] REPORT-test = extract_session_kv </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract_session_kv] CLEAN_KEYS = 0 FORMAT = $1::$2 REGEX = Session_Variable_Name\=\"([^"]+)\"\,Session_Variable_Value\=\"([^"]+)\" </CODE></PRE> Thu, 04 Jul 2019 08:21:19 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456114#M170527 harsmarvania57 2019-07-04T08:21:19Z https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456115#M170528 <P>Works great! Thanks harsmarvania!</P> Mon, 08 Jul 2019 16:55:43 GMT https://community.splunk.com/t5/Splunk-Search/Extract-Field-Name-and-Value-from-Data-Source-using-Delimiter/m-p/456115#M170528 jspigler2010 2019-07-08T16:55:43Z