https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175214#M50292 <P>There is now a TA for parsing HL7 that was released subsequent to this question being asked.</P> <P><A href="https://splunkbase.splunk.com/app/3283/">https://splunkbase.splunk.com/app/3283/</A></P> Mon, 19 Sep 2016 20:08:59 GMT dstuder 2016-09-19T20:08:59Z https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175211#M50289 <P>I am trying to figure out how to extract structured data from an HL7 2.x message </P> <P>The entire message is wrapped in a hl7 mlp wrapper, <CODE>&lt;VT&gt;&lt;payload&gt;&lt;FS&gt;&lt;CR&gt;</CODE>, which I am using in the source type I created to extract individual messages. The grammar of this message is MSH PID PV1 OBR { OBX }. Essentially what this means is that the message will have 4 segments(strings) delimited by a <CODE>&lt;CR&gt;</CODE> followed by 1 to n OBX segments each delimited by a <CODE>&lt;CR&gt;</CODE>. Each segment represents a different set of information:</P> <UL> <LI>MSH =&gt; Message Header</LI> <LI>PID =&gt; Patient Info</LI> <LI>PV1 =&gt; Patient Visit/Encounter Info</LI> <LI>OBR =&gt; Observation Request</LI> <LI>OBX =&gt; Observation/Result</LI> </UL> <P>Because the first 4 segments are required and in order I was able to extract all fields using a regex.</P> <P>Example:</P> <P>Message(excluding message wrapper)</P> <PRE><CODE>MSH|^~\&amp;|Sending Application|N|||20140731105559||ORU^R01|47311055594607d|P|2.3||||||8859/1 PID|||MRN19||PV1^19||19000101|M||||||||||CSN19 PV1||I|SNGH GICU||||||||||||||||ECN123456 OBR|||||||20140731105559 OBX|1|ST|&lt;Observation_Identifier&gt;||&lt;Observation_Value&gt;|&lt;Observation_Units&gt;|||||&lt;Observation_Status&gt;|||&lt;Observation_Time&gt;|| OBX|2|NM|Temperature||98.6|Celsius|||||F|||20140731105559|| OBX|3|ST|Heart Rate||60|/min|||||F|||20140731105559|| </CODE></PRE> <P>Regex to extract all fields from the MSH segment</P> <PRE><CODE>(?m).*MSH\|(?:(?:(?:$)|(?:\n)|(?&lt;encoding_characters&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;sending_application&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;sending_facility&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;receiving_application&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;receiving_facility&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;date_time_of_message&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;security&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;message_type&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;message_control_id&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;processing_id&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;version_id&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;sequence_id&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;continuation_pointer&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;accept_acknowledge_type&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;application_acknowledge_type&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;country_code&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;character_set&gt;[^|\n]*)|(?:\|))(?:\|?))(?:(?:(?:$)|(?:\n)|(?&lt;principal_language_of_message&gt;[^|\n]*)|(?:\|))(?:\|?)) </CODE></PRE> <P>In the message above message each OBX segment represents a measurement.</P> <UL> <LI>OBX 1 =&gt; Example with field names</LI> <LI>OBX 2 =&gt; Temperature Measurement</LI> <LI>OBX 3 =&gt; Heart Rate Measurement</LI> </UL> <P>So for any given message I need to be able to extract each measurement plus the attributes of the measurement, Value, Units, Time, .... and there can be 1 to n instances of the OBX segments or even of the same measurement type at a different time.</P> <P>The only way I have been able to get this to work so far is to deconstruct the message before injecting it into splunk and generating a new message for each measurement. This is a less than ideal solution and I would prefer to get this to work using splunk.</P> <P>Any suggestions would be greatly appreciated.</P> Thu, 07 Aug 2014 20:52:35 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175211#M50289 dmbreton 2014-08-07T20:52:35Z https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175212#M50290 <P>You can setup multivalue field extraction using transforms.conf.</P> <P>Reference:<BR /> <A href="http://answers.splunk.com/answers/112311/multi-value-field-extraction">http://answers.splunk.com/answers/112311/multi-value-field-extraction</A><BR /> <A href="http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field">http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field</A></P> Thu, 07 Aug 2014 21:12:06 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175212#M50290 somesoni2 2014-08-07T21:12:06Z https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175213#M50291 <P>Something like this (just for OBX, assuming there are 15 fields after the keyword OBX)</P> <PRE><CODE>[YourSourceType] REPORT-mv_obx = xf-obx TRANSFORMS.CONF: [xf-obx] REGEX = ^OBX\|(?&lt;field1&gt;.*)\|(?&lt;field2&gt;.*)\|(?&lt;field3&gt;.*)\|.....write others...\|(?&lt;field15&gt;.*)\| MV_ADD = true </CODE></PRE> Thu, 07 Aug 2014 21:14:59 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175213#M50291 somesoni2 2014-08-07T21:14:59Z https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175214#M50292 <P>There is now a TA for parsing HL7 that was released subsequent to this question being asked.</P> <P><A href="https://splunkbase.splunk.com/app/3283/">https://splunkbase.splunk.com/app/3283/</A></P> Mon, 19 Sep 2016 20:08:59 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-Fields-from-Structured-HL7-Data/m-p/175214#M50292 dstuder 2016-09-19T20:08:59Z