https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306019#M91861 <P>Check out rubular.com and have fun yourself.</P> Thu, 16 Feb 2017 14:14:04 GMT rbardonetorian 2017-02-16T14:14:04Z https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306018#M91860 <P>I have some JSON events, with fields extracted correctly.</P> <P>Inside the JSON event is a key value dictionary like so</P> <P>"integrations": ["product=splunk, product_version=6.5, name=splunk"]</P> <P>The resulting JSON extracted field / value -- intgrations=["product=splunk, product_version=6.5, name=splunk"]</P> <P>As a regex n00b having relied on IFX in the past, I'm now trying to split product, product_version, and name into fields too. </P> <P>How would I form a regular expression to use as a field extraction to specify these 3 fields (i.e field starts with "product=" and ends with either "," or """ (not all fields are always in dictionary)?</P> Thu, 16 Feb 2017 13:46:34 GMT https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306018#M91860 himynamesdave 2017-02-16T13:46:34Z https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306019#M91861 <P>Check out rubular.com and have fun yourself.</P> Thu, 16 Feb 2017 14:14:04 GMT https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306019#M91861 rbardonetorian 2017-02-16T14:14:04Z https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306020#M91862 <PRE><CODE>your basesearch |rename 'integrations.product' as product| rename 'integrations.product_version' as product_version|rename 'integrations.name' as name|table product product_version_name </CODE></PRE> <P>If I understood should sort you out without having to extract fields.</P> <P>You could add each rename command to a calculated field if you wished which would perform this for you automaticly</P> Thu, 16 Feb 2017 14:32:35 GMT https://community.splunk.com/t5/Splunk-Search/JSON-KV-Extraction/m-p/306020#M91862 nickhills 2017-02-16T14:32:35Z