All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the key value pairs?

santhgates
Engager
‎05-21-2014 06:26 AM

Below is an example of my event:

Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params="{coinsEarned : 1800,coinsSpent : 1100,experienceEarned : 2460,timeSpent : 4417,diamondsEarned : 3,diamondsSpent : 18,noOfSessions : 4,energySpent : 7,gamesCompleted : 5}"

In the above event, in the field "Params", I need to extract the keys as the fields and their values as values for the new fields. So a new field "coinsEarned" should be extracted and its value should be "1800" for this event. Similarly for all the key-value pairs in the field Params.

Can someone help me with the regular expression to get the desired results?

Reply
1 Solution
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎05-21-2014 07:59 AM

You can just add this to your search:

| extract pairdelim="\"{,}" kvdelim=":"

View solution in original post

Reply
Solved! Jump to solution

yonmost
Engager
‎09-28-2016 12:50 AM

Here is what worked for me:

| makemv tokenizer="([^,]+)," Params | mvexpand line
| rex field=Params "(?<key>[^{:]+) : (?<value>[0-9]+)"
0 Karma
Reply
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎05-21-2014 07:59 AM

You can just add this to your search:

| extract pairdelim="\"{,}" kvdelim=":"

Reply
Solved! Jump to solution

haraksin
Communicator
‎07-27-2021 05:19 PM

I used the following to help with this at search time with key-value pairs that had space delimiters and = key delimiters:

| extract pairdelim=" " kvdelim="="

This also works when your KV pairs optionally have quotation marks for data that contains whitespace.

Reply
Solved! Jump to solution

mverma
Engager
‎04-28-2025 07:11 PM

As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair.
I used following simple extract parameters:

| extract pairdelim="," kvdelim=":"

One doesn't need to escape "," as done in the first answer!

0 Karma
Reply
Solved! Jump to solution

bnikhil0584
Explorer
‎04-11-2018 04:49 PM

How to extract something like all the key-value pairs in the field Params ?

Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params={"coinsEarned":"1800","coinsSpent":"no coins spent","experienceEarned":"2460","timeSpent":"4417","}

I've tried this but no luck

...| extract pairdelim="\"{,}" kvdelim=":"

Thank in advance

0 Karma
Reply
Solved! Jump to solution

yonmost
Engager
‎09-27-2016 11:39 PM

I have a similar situation and this answer doesn't work for me. How does the extract command know to work on the Params field? It's not mentioned anywhere

0 Karma
Reply
Solved! Jump to solution

santhgates
Engager
‎05-21-2014 08:42 AM

Perfect! You saved my day 🙂

Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...