https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315150#M94356 <P>Looking at the transforms.conf documentation, it should be just <CODE>FORMAT=$1::$2</CODE>.</P> Wed, 28 Feb 2018 09:38:40 GMT FrankVl 2018-02-28T09:38:40Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315147#M94353 <P>I'm trying to figure out better way of doing regex for a data like below</P> <PRE><CODE>Protocol: TCP, SrcIP: 1.2.3.4, OriginalClientIP: ::, DstIP: 5.6.7.8, SrcPort: 1234, DstPort: 678, TCPFlags: 0x0, DE: some engine (6xxxxxe-a010-11e7-b61b-xxxxxxx), Policy: my-home-policy, ConnectType: End, AccessControlRuleName: AB-CD-EFG, AccessControlRuleAction: Allow, Prefilter Policy: AB-CD-EFG, UserName: User A, InitiatorPackets: 4, ResponderPackets: 2, InitiatorBytes: 288, ResponderBytes: 148, NAPPolicy: AB-CD-EFG-Analysis-Policy, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Highly Risky </CODE></PRE> <P>I was looking to split this into key-value pairs, so it becomes</P> <PRE><CODE>Protocol=TCP OriginalClientIP="" UserName="User A" </CODE></PRE> <P>So the key-value split is <CODE>:\s</CODE> and <CODE>.*</CODE> until it finds a <CODE>comma</CODE>. </P> <PRE><CODE>(?&lt;key&gt;\w+):\s+(?&lt;value&gt;.*?)(\,|$) </CODE></PRE> <P>Above regex works in regex101, but not in transforms.conf . Or put in more precisely, the <CODE>value</CODE> is not getting assigned to the <CODE>key</CODE></P> Wed, 28 Feb 2018 08:58:43 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315147#M94353 koshyk 2018-02-28T08:58:43Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315148#M94354 <P>What exactly does your transforms.conf look like?</P> <P>Should be something like:</P> <PRE><CODE>[&lt;stanzaname here&gt;] REGEX = (\w+):\s+([^,]*)(?:,|$) FORMAT = $1::$2 </CODE></PRE> <P>And why not simply use:</P> <PRE><CODE>DELIMS = ",", ":" </CODE></PRE> Wed, 28 Feb 2018 09:11:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315148#M94354 FrankVl 2018-02-28T09:11:19Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315149#M94355 <P>thanks for your <CODE>DELIMS</CODE> suggestion. I will try that out </P> <P>(The transforms looks like what you mentiond. I have seen in other posts that we might need to put double quotes over FORMAT. so something like <CODE>FORMAT = "$1": $2</CODE> . I will try both of them anyway.</P> Wed, 28 Feb 2018 09:28:43 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315149#M94355 koshyk 2018-02-28T09:28:43Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315150#M94356 <P>Looking at the transforms.conf documentation, it should be just <CODE>FORMAT=$1::$2</CODE>.</P> Wed, 28 Feb 2018 09:38:40 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315150#M94356 FrankVl 2018-02-28T09:38:40Z https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315151#M94357 <P>DELIMS did the trick. thanks for the idea</P> Fri, 02 Mar 2018 10:22:21 GMT https://community.splunk.com/t5/Splunk-Search/Regex-help-Colon-space-and-comma-as-key-value-pair/m-p/315151#M94357 koshyk 2018-03-02T10:22:21Z