Multiple fields extraction

prakashraja1999 · ‎09-08-2021

.

ITWhisperer · ‎09-08-2021

| rex max_match=0 "(?<name>\w+):(?<value>.+?)(?=\s+\w+:|$)"

ITWhisperer · ‎09-08-2021

This gives you two multi-value fields for the names and the values - if you want corresponding fields created for these, you could do something like this

| rex max_match=0 "(?<_name>\w+):(?<_value>.+?)(?=\s+\w+:|$)"
| streamstats count as _event 
| eval index=mvrange(0,mvcount(_name))
| mvexpand index
| eval _name=mvindex(_name,index)
| eval _value=mvindex(_value,index)
| eval {_name}=_value
| fields - _name _value index
| stats values(*) as * by _event
| fields - _event

Note that extract might not work depending on the consistency of pair delimiters and their inclusion in the value strings.

richgalloway · ‎09-08-2021

Here are two ideas: rex command and extract command.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-08-2021

The question asked for ideas, not for someone else to do the work. 😀 Did you at least look at the commands?

@ITWhisperer has shown the rex command. Here is extract:

| extract pairdelim=" " kvdelim=":"

---
If this reply helps you, Karma would be appreciated.

prakashraja1999 · ‎09-08-2021

Kindly share the rex and extract commands

Multiple fields extraction

field extraction

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Multiple fields extraction

field extraction

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor