All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the key value pairs?

santhgates
Engager
‎05-21-2014 06:26 AM

Below is an example of my event:

Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params="{coinsEarned : 1800,coinsSpent : 1100,experienceEarned : 2460,timeSpent : 4417,diamondsEarned : 3,diamondsSpent : 18,noOfSessions : 4,energySpent : 7,gamesCompleted : 5}"

In the above event, in the field "Params", I need to extract the keys as the fields and their values as values for the new fields. So a new field "coinsEarned" should be extracted and its value should be "1800" for this event. Similarly for all the key-value pairs in the field Params.

Can someone help me with the regular expression to get the desired results?

Reply
1 Solution
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎05-21-2014 07:59 AM

You can just add this to your search:

| extract pairdelim="\"{,}" kvdelim=":"

View solution in original post

Reply
Solved! Jump to solution

yonmost
Engager
‎09-28-2016 12:50 AM

Here is what worked for me:

| makemv tokenizer="([^,]+)," Params | mvexpand line
| rex field=Params "(?<key>[^{:]+) : (?<value>[0-9]+)"
0 Karma
Reply
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎05-21-2014 07:59 AM

You can just add this to your search:

| extract pairdelim="\"{,}" kvdelim=":"

Reply
Solved! Jump to solution

haraksin
Communicator
‎07-27-2021 05:19 PM

I used the following to help with this at search time with key-value pairs that had space delimiters and = key delimiters:

| extract pairdelim=" " kvdelim="="

This also works when your KV pairs optionally have quotation marks for data that contains whitespace.

Reply
Solved! Jump to solution

mverma
Engager
‎04-28-2025 07:11 PM

As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair.
I used following simple extract parameters:

| extract pairdelim="," kvdelim=":"

One doesn't need to escape "," as done in the first answer!

0 Karma
Reply
Solved! Jump to solution

bnikhil0584
Explorer
‎04-11-2018 04:49 PM

How to extract something like all the key-value pairs in the field Params ?

Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params={"coinsEarned":"1800","coinsSpent":"no coins spent","experienceEarned":"2460","timeSpent":"4417","}

I've tried this but no luck

...| extract pairdelim="\"{,}" kvdelim=":"

Thank in advance

0 Karma
Reply
Solved! Jump to solution

yonmost
Engager
‎09-27-2016 11:39 PM

I have a similar situation and this answer doesn't work for me. How does the extract command know to work on the Params field? It's not mentioned anywhere

0 Karma
Reply
Solved! Jump to solution

santhgates
Engager
‎05-21-2014 08:42 AM

Perfect! You saved my day 🙂

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...