topic Re: How To Use Eval to Capture Inconsistent key:values in Splunk Search

How To Use Eval to Capture Inconsistent key:values

mark_groenveld — Wed, 26 Mar 2025 18:44:32 GMT

I am searching for a key:value report app where the values are inconsistent but include a report cluster name consistently.

Example of key:value
APP_Details:{"CLUSTER_VIP":"CLUSTERX.URL.COM","Access":true}

There are over 100 APP_Details values for CLUSTERX.

How can I extract CLUSTERX (there are three different cluster names) to show as a single value by cluster?

Thanks

Re: How To Use Eval to Capture Inconsistent key:values

PickleRick — Wed, 26 Mar 2025 18:50:12 GMT

I'm not sure what you mean by "extract" in this context. Do you have your fields extracted already and used it in a different meaning or do you want to extract values from the raw data? Give us a bit more example events and describe what would be the result (based on that example data) and why.

Re: How To Use Eval to Capture Inconsistent key:values

mark_groenveld — Wed, 26 Mar 2025 19:04:08 GMT

Sure.

Here are examples of the values.

{"CLUSTER1.COM","viewSiteAsUser.hasAccess":true}

{"CLUSTER_VIP":"CLUSTER1.COM"}

Re: How To Use Eval to Capture Inconsistent key:values

livehybrid — Wed, 26 Mar 2025 22:11:54 GMT

Hi @mark_groenveld

Is that the full event or a field in your event? Is the whole event JSON? If possible please give some full examples.

Are the names of the 3 cluster always CLUSTER followed by a single character?

Thanks

Will

Re: How To Use Eval to Capture Inconsistent key:values

mark_groenveld — Thu, 27 Mar 2025 18:36:09 GMT

Here are 2 examples of the values for the events:

{"CLUSTER1.COM","viewSiteAsUser.hasAccess":true}

{"CLUSTER_VIP":"CLUSTER1.COM"}

Re: How To Use Eval to Capture Inconsistent key:values

mark_groenveld — Thu, 27 Mar 2025 18:37:41 GMT

I am looking for a way to pull out CLUSTER1 as a single value as there are two other clusters, CLUSTER2 AND CLUSTER3.

Thanks

Re: How To Use Eval to Capture Inconsistent key:values

livehybrid — Thu, 27 Mar 2025 21:42:43 GMT

Hi @mark_groenveld

As the samples dont look to be valid JSON, I assume we can use the *rex* command on them against the _raw field.

Try this:

| rex field=_raw "(?<ClusterVal>CLUSTER[0-9]+)"

This should give you a field called ClusterVal with your cluster in it.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: How To Use Eval to Capture Inconsistent key:values

mark_groenveld — Fri, 28 Mar 2025 18:35:30 GMT

Thanks for posting livehybrid. The rex did not work. Karma points to you for giving it a go 👊

Re: How To Use Eval to Capture Inconsistent key:values

ITWhisperer — Fri, 28 Mar 2025 20:59:25 GMT

@mark_groenveld

The rex does work with the "events" you shared (as demonstrated below)

| makeresults | fields - _time | eval _raw="{\"CLUSTER1.COM\",\"viewSiteAsUser.hasAccess\":true} {\"CLUSTER_VIP\":\"CLUSTER1.COM\"}" | multikv noheader=t | fields _raw | rex field=_raw "(?<ClusterVal>CLUSTER[0-9]+)"

Please share more events where the rex "did not work"