Getting Data In

Extracting key and value from substring

brdr
Contributor

I'm trying to corral a string into new field and value and having trouble. I've used eval / split / mvexpand....

The string looks like this. Its actually a field in an event:

field_id=/key1/value1/key2/value2/key3/value3/key4/value4

The end goal is to have new fields. Like:

field_key1=value1

filed_key2=value2

So i can now search, for example, if field_key1='the value of something"

 

 

 

Labels (2)
0 Karma

brdr
Contributor

Thank you both ITWhisperer and bowesmana!!!  🙂 Will try these out

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below.
the easiest one is the split command:

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| eval temp=split(field_id,"/") | eval field_key1=mvindex(temp,2) | eval field_key2=mvindex(temp,4) 
| table field_id field_key1 field_key2

 

streamstats.jpg

split.jpg

foreach-rex.jpg

   

0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you have a known max limit of keys, then you can do it without the mvexpand, which if you have a large dataset, can hit memory issues.

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| rex field=field_id max_match=0 "/(?<k>[^/]*)/(?<v>[^/]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _k=mvindex(k, <<FIELD>>), {_k}=mvindex(v, <<FIELD>>) ]

Just put in the foreach statement the maximum number of possible key/value pairs you have.

inventsekar
SplunkTrust
SplunkTrust
| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| rex field=field_id max_match=0 "/(?<key>[^/]*)/(?<value>[^/]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _key=mvindex(key, <<FIELD>>), {_key}=mvindex(value, <<FIELD>>) ]

Hi @bowesmana .. instead of k and v, i used key and value, it works fine as well. 

could you pls explain how the last eval works (why do you use "eval _k")

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@inventsekar You can use whatever two variables you like, a/b, k/v, key/value

In the foreach using a var name with _ prefix means that it will not be generally visible as a field, so in case you forget to remove the field _key, it will not be seen as part of the data. I often use that just to make sure temporary fields are hidden and don't become part of the working dataset.

The syntax {_key}=mvindex(value,<<FIELD>>) uses Splunk's encoding to create a new field (left hand side) that has the name of the VALUE of _key and it takes the n'th multivalue element from the value MV based on <<FIELD>> which is effectively a loop of the values of the foreach statement 0 1 2 3 4...

It's the same as doing this

| makeresults
| fields - _time
| eval key="NAME", value="ANTONY"
| eval {key}=value

where you will end up with a new field called NAME with the value of ANTONY

There should really be cleanup to remove the temporary field names k,v,_k, so a | fields statement would be a good idea at the end.

inventsekar
SplunkTrust
SplunkTrust

Great, thanks a lot @bowesmana ,..much appreciated ! 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=field_id max_match=0 "/(?<key>[^/]+)/(?<value>[^/]+)"
| eval row=mvrange(0,mvcount(key))
| streamstats count as _row
| mvexpand row
| eval name="field_".mvindex(key,row)
| eval {name}=mvindex(value,row)
| fields - key value name row
| stats values(*) as * by _row
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...