Getting Data In

Extracting key and value from substring

brdr
Contributor

I'm trying to corral a string into new field and value and having trouble. I've used eval / split / mvexpand....

The string looks like this. Its actually a field in an event:

field_id=/key1/value1/key2/value2/key3/value3/key4/value4

The end goal is to have new fields. Like:

field_key1=value1

filed_key2=value2

So i can now search, for example, if field_key1='the value of something"

 

 

 

Labels (2)
0 Karma

brdr
Contributor

Thank you both ITWhisperer and bowesmana!!!  🙂 Will try these out

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below.
the easiest one is the split command:

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| eval temp=split(field_id,"/") | eval field_key1=mvindex(temp,2) | eval field_key2=mvindex(temp,4) 
| table field_id field_key1 field_key2

 

streamstats.jpg

split.jpg

foreach-rex.jpg

   

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you have a known max limit of keys, then you can do it without the mvexpand, which if you have a large dataset, can hit memory issues.

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| rex field=field_id max_match=0 "/(?<k>[^/]*)/(?<v>[^/]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _k=mvindex(k, <<FIELD>>), {_k}=mvindex(v, <<FIELD>>) ]

Just put in the foreach statement the maximum number of possible key/value pairs you have.

inventsekar
SplunkTrust
SplunkTrust
| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| rex field=field_id max_match=0 "/(?<key>[^/]*)/(?<value>[^/]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _key=mvindex(key, <<FIELD>>), {_key}=mvindex(value, <<FIELD>>) ]

Hi @bowesmana .. instead of k and v, i used key and value, it works fine as well. 

could you pls explain how the last eval works (why do you use "eval _k")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@inventsekar You can use whatever two variables you like, a/b, k/v, key/value

In the foreach using a var name with _ prefix means that it will not be generally visible as a field, so in case you forget to remove the field _key, it will not be seen as part of the data. I often use that just to make sure temporary fields are hidden and don't become part of the working dataset.

The syntax {_key}=mvindex(value,<<FIELD>>) uses Splunk's encoding to create a new field (left hand side) that has the name of the VALUE of _key and it takes the n'th multivalue element from the value MV based on <<FIELD>> which is effectively a loop of the values of the foreach statement 0 1 2 3 4...

It's the same as doing this

| makeresults
| fields - _time
| eval key="NAME", value="ANTONY"
| eval {key}=value

where you will end up with a new field called NAME with the value of ANTONY

There should really be cleanup to remove the temporary field names k,v,_k, so a | fields statement would be a good idea at the end.

inventsekar
SplunkTrust
SplunkTrust

Great, thanks a lot @bowesmana ,..much appreciated ! 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=field_id max_match=0 "/(?<key>[^/]+)/(?<value>[^/]+)"
| eval row=mvrange(0,mvcount(key))
| streamstats count as _row
| mvexpand row
| eval name="field_".mvindex(key,row)
| eval {name}=mvindex(value,row)
| fields - key value name row
| stats values(*) as * by _row
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...