topic Re: rex extract key values between brackets that keys are varies in Splunk Search

How can I extract all key value between brackets (keys vary)?

indeed_2000 — Tue, 31 May 2022 05:11:50 GMT

I have a string like below, how can I extract all key value between brackets (keys vary)?

Arg[2]: NetworkPacket{trace='0'errCode=''dateTimeLocalTransaction='Mon May 30 00:00:00 IRDT 2022'dateTimeLocalTransactionTo='Mon May 30 23:59:59 USDT 2022'selectedTerminalTypes='[]'UDPApproveTermID='', dateEnd=null', referenceID='', selectedFlowTypeMaps=[]}

for above string out put like this:

trace=0

errCode=

dateTimeLocalTransaction=Mon May 30 00:00:00 USDT 2022

dateTimeLocalTransactionTo=Mon May 30 23:59:59 USDT 2022

selectedTerminalTypes=

UDPApproveTermID=

dateEnd=null

referenceID=

selectedFlowTypeMaps=

Thanks,

Re: rex extract key values between brackets that keys are varies

gcusello — Mon, 30 May 2022 11:01:51 GMT

Hi @indeed_2000,

this seems to be a json log, so using the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) you should automatically extract the fields you need.

But anyway, you have pairs fieldname=fieldvalue and Splunk should automatically extract all fields.

But if you don't have nothing you can use one regex like this, but it's easy that it doesn't run:

| rex "trace\=\'(?<trace>[^\']*)\'errCode\=\'(?<err_code>[^\']*)\'dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)\'dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)\'selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)\'UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)\',\s+dateEnd\=(?<dateEnd>[^\']*)\',\s+referenceID\=\'(?<referenceID>[^\']*)\',\s+selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

You can test the regex at https://regex101.com/r/rE0lZK/1

or you could use a regex for each field extraction, something like this:

| rex "trace\=\'(?<trace>[^\']*)" | rex "errCode\=\'(?<err_code>[^\']*)" | rex "dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)" | rex "dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)" | rex "selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)" | rex "UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)" | rex "dateEnd\=(?<dateEnd>[^\']*)" | rex "referenceID\=\'(?<referenceID>[^\']*)" | rex "selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

My hint is to use spath, if possible, otherwise the last solution (separated regexes).

Ciao.

Giuseppe

Re: rex extract key values between brackets that keys are varies

ITWhisperer — Mon, 30 May 2022 12:17:09 GMT

There seems to be a mixture of delimiters and separators e.g. sometimes there is no space between on field value finishing and the next field key starting, other times, there is a comma and a space. Please can you share an accurate (but anonymised) version of the events you are dealing with in a code block </> so that the browser doesn't try and reformat it?

Re: rex extract key values between brackets that keys are varies

indeed_2000 — Mon, 30 May 2022 17:52:15 GMT

I try spath and worked!
thanks