https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640407#M221922 <P>i tried adding the | kv,</P><P>and i do not get all the data&nbsp; in the result set.</P><P>am not allowed to edit the&nbsp;<SPAN>&nbsp;props.conf</SPAN></P> Tue, 18 Apr 2023 18:31:13 GMT Lazous 2023-04-18T18:31:13Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640379#M221905 <P>Hello,&nbsp;<BR />I am trying to extract the data from the following message:<BR />the header data is in quotes and for each header data there is a set of secondary data also in quotes.<BR />The events are presented as follows:</P> <P>{Name=SS, PId=236}<BR />PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}<BR />PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00}<BR />{Name=DAG, PId=55}<BR />PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}</P> <P>The following result is expected:</P> <TABLE width="641"> <TBODY> <TR> <TD width="80">Name</TD> <TD width="34">&nbsp;&nbsp;PId</TD> <TD width="91">&nbsp;Type</TD> <TD width="80">&nbsp;Id</TD> <TD width="80">&nbsp;plan</TD> <TD width="80">Conflict</TD> <TD width="196">&nbsp;Date</TD> </TR> <TR> <TD>SS</TD> <TD>236</TD> <TD>A_OUTGOING</TD> <TD>7934</TD> <TD>8975</TD> <TD>2529</TD> <TD>2023-04-18T18:51:00.000+02:00</TD> </TR> <TR> <TD>SS</TD> <TD>236</TD> <TD>B_OUTGOING</TD> <TD>7934</TD> <TD>8975</TD> <TD>72482</TD> <TD>2023-04-18T18:51:00.000+02:00</TD> </TR> <TR> <TD>DAG</TD> <TD>55</TD> <TD>B_INCOMING</TD> <TD>7921</TD> <TD>8975</TD> <TD>64870</TD> <TD>2023-04-18T18:51:00.000+02:00</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>Would you please help?&nbsp;</SPAN>Thanking you</P> Tue, 18 Apr 2023 18:07:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640379#M221905 Lazous 2023-04-18T18:07:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640387#M221909 <P>Given that this looks like it might be JSON, have you tried using spath?</P> Tue, 18 Apr 2023 17:25:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640387#M221909 ITWhisperer 2023-04-18T17:25:12Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640389#M221911 <P>That data is JSON so the quick/easy/wrong fix is just to add this to your search:<BR />| kv<BR /><BR />But the better answer is to add this to your props.conf for your source/sourcetype:<BR />KV_MODE = json</P> Tue, 18 Apr 2023 17:31:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640389#M221911 woodcock 2023-04-18T17:31:56Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640407#M221922 <P>i tried adding the | kv,</P><P>and i do not get all the data&nbsp; in the result set.</P><P>am not allowed to edit the&nbsp;<SPAN>&nbsp;props.conf</SPAN></P> Tue, 18 Apr 2023 18:31:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640407#M221922 Lazous 2023-04-18T18:31:13Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640408#M221923 <P>would you please specify how the command would look like in this case ?&nbsp;</P> Tue, 18 Apr 2023 18:32:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640408#M221923 Lazous 2023-04-18T18:32:16Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640409#M221924 <P><SPAN>| makeresults<BR />| eval raw="{Name=SS, PId=236}<BR />PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}<BR />PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00} {Name=DAG, PId=55}<BR />PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}"<BR />| makemv delim="<BR />" raw<BR />| mvexpand raw<BR />| rename raw AS _raw<BR />| kv</SPAN></P> Tue, 18 Apr 2023 18:43:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-data-from-quotation-marks/m-p/640409#M221924 woodcock 2023-04-18T18:43:26Z