topic Re: How does splunk split field contents in dictionary format? in Splunk Search

How does splunk split field contents in dictionary format?

Cathy — Thu, 05 Jan 2023 12:58:02 GMT

current splunk log:

user=a,ip=b,info={'gender':1,'Country':2},p=1,

target splunk table:

 user=a,ip=b,gender=1,Country=2,p=1,

Re: How does splunk split field contents in dictionary format?

ITWhisperer — Thu, 05 Jan 2023 13:05:43 GMT

Your log looks pretty standard and fields can be parsed into name/value pairs with the extract command. Then, your info field looks a bit like JSON only you have single quotes instead of double quotes. Your can switch these with the replace function, Then you can parse the (now correct) JSON field with the spath command

| extract | eval info=replace(info,"'","\"") | spath input=info

Re: How does splunk split field contents in dictionary format?

Cathy — Thu, 05 Jan 2023 15:37:52 GMT

Thank you for your answer. It works!