Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can not extract value with whitespace at index time

sebastian_pribn
Engager
‎06-20-2022 10:01 AM

Hello,

 

I have a not ideal log, looking like this, for example:

"field1=value1"  "field2=val ue 2" "field3=value3"

 

And I want to exlude the key-value pairs at index time.

Combinations like the first kv-pair is not problem. The second value however is a problem. With my extraction I can only get the "val" part, and the extraction stops at the whitespace.

 

My rule in transforms.conf looks like this:

 

 

[example]
REGEX = (?<_KEY_1>([^=\"]+)=(?<_VAL_1>([^=\"]+)

 

 

 

To clarify, my results in splunk are looking like this:

field1 = value1

field2 = val

field3 = value3

 

I am not sure what I am missing.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-20-2022 11:26 AM

You have the right regex, but with a slightly muddled syntax (too many left parens).  Try this alternative:

[example]
REGEX = ([^=\"]+)=([^=\"]+)
FORMAT = $1::$2

 

---
If this reply helps you, Karma would be appreciated.
Reply

sebastian_pribn
Engager
‎06-21-2022 12:44 AM

Oh, you are right. I had run so many tests yesterday that it was getting a little confusing.

 

I've tried both variants, with the same regex:

 

[example]
REGEX = (?<_KEY_1>([^=\"]+))=(?<_VAL_1>([^=\"]+))

 

and

 

[example]
REGEX = ([^=\"]+)=([^=\"]+)
FORMAT = $1::$2

 

but I am only getting the value to the first whitespace.

"key=val ue"

will result in

key=val

with both variants.

 

I've tested all changes in props.conf / transforms.conf under etc/system/local to ensure, that there is no other setting that is overwriting my tests.

 

Maybe I should also mention that these value are embedded in some kind of pseudo json format. I am, however, not using indexed extractions.

The events are looking something like this:

{"severity":"info","time":"123456789","message":"key1=value1" "key2=val ue 2"}

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2022 06:33 AM

The regex should work.  It works in regex101.com.  See https://regex101.com/r/ZHCFQp/1

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-20-2022 01:43 PM

If the key-value pairs are enclosed in parentheses I'd anchor the regex in parentheses as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...