Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to handle fieldname=name, fieldvalue=value

mikedgibson
New Member
‎05-14-2014 01:47 PM

I currently have data that I want to extract fields from that looks like this

fieldname1=name1, fieldvalue1=value1, fieldname2=name2, fieldvalue2=value2

I want to extract the fields and make it look like this.

name1=value1
name2=value2

Is this possible with Splunk through modifications to the props.conf and transforms.conf?

Thanks.

Tags (1)
0 Karma
Reply

Ayn
Legend
‎05-14-2014 01:57 PM

Sure, you can define your own key/value extraction transforms. Something like this should do it:

props.conf:

[yoursourcetype]
REPORT-fieldkv = fieldkv

transforms.conf:

[fieldkv]
REGEX = fieldname\d+=([^,]+), fieldvalue\d+=([^,]+)
FORMAT = $1::$2
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-14-2014 05:51 PM

You might be able to adapt the extraction like this:

REGEX = field name\d+=([^=]+?) field value\d+=(([^=]+?)(?= field name\d+)|(.*))

That's assuming the event ends after the last field.
Look for the field name, grab that, look for the field value, grab that until the start of the next field or grab until the end if there's no other field name coming.

Note, and that's a big note, extracting data like this is quite fragile.

0 Karma
Reply

mikedgibson
New Member
‎05-14-2014 02:12 PM

Thanks. Sorry, I messed up my sample a little bit. It could look like this.

field name1=name 1 field value1=value 1 field name2=name 2 field value2=value2

It is using space delimiters (not commas) and unfortunately the field names and values can have spaces and I can't control the order of the fields other than to know field 1 value always follows field 1 name.

I only have basic regex experience and not sure if there is anything that can cover that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...