Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex Extraction

bhavneeshvohra9
New Member
‎01-12-2021 04:11 AM

HI All,

PLease help in extracting the below logs as per the conditions stated

key1=value1,key2=value2\,key 3=value3\,value4\,value5\,value6\,key4={key5=value5\,key6= value6\,},key7=val10(key8=val11\,key9=val12),key20=val20

i have a log of the above format

i want to extract key value pairs without backslash

also key 3=value3\,value4\,value5\,value6\,  is a multivalue field and should be extracted  as  :-

key 3=value3,value4,value5,value6

and key4={key5=value5\,key6= value6\,}, is a json object  which should be extracted as:-

  key5= value5 , key6= value 6(i.e key 4={ should not be extracted)

 and key7=val10(key8=val11\,key9=val12) should be extracted individually as :-

key7=val10 ,key8=val11,key9=val12

 

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-12-2021 09:22 AM

Hi @bhavneeshvohra9,

Can you try following? The only change you should do is "key_3" field name. I needed to use second transform for multi-value fields. I hope multi-value field names are specific.

props.conf
[your_sourcetype]
REPORT-kv = extract_kv, extract_mv
EVAL-key_3 = split(replace(key_3,"\\\\",""),",")
KV_MODE = none

transforms.conf
[extract_mv]
FORMAT = key_3::$1
REGEX = key\s3=(.+?),\w+=

[extract_kv]
FORMAT = $1::$2
REGEX = ([^=,{\s]+)=([^=,\\{()]+)

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2021 07:15 AM

Regular expressions like to work with consistent data.  So, are these keys always the same and always in the same order?  Are any of them optional?

Can you go back to the developers and ask them to log in a more consistent format, like all-JSON or all K=V?  Something like this would be far easier to parse.

key1=value1;key2=value2;key 3=value3,value4,value5,value6;key5=value5;key6= value6;key7=val10;key8=val11;key9=val12;key20=val20

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bhavneeshvohra9
New Member
‎01-12-2021 07:22 AM

Hi ,

 Thank you for your response .. it is not possible to change the data format

everything in the log format is  in forms of key value pairs like key1= val1

but  for some keys there is a '\'gettinga dded ti the values like key2=val2\,

also there are some keys having multiple values like key3=val3\,val4\,val5\,   for which we need extarction like key3=val3,val4,val5

also there are scenarios where its in form of object like key4= {key5=val5\, key6=val6},

for which we only need the values inside { like--> key5= val5 and key6= val6

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2021 08:38 AM

Thank you for restating the problem.

Regular expressions like to work with consistent data.  So, are these keys always the same and always in the same order?  Are any of them optional?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...