Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple fields extraction

prakashraja1999
Loves-to-Learn Everything
‎09-08-2021 06:31 AM

.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 07:59 AM

 

| rex max_match=0 "(?<name>\w+):(?<value>.+?)(?=\s+\w+:|$)"

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 08:57 AM

This gives you two multi-value fields for the names and the values - if you want corresponding fields created for these, you could do something like this

| rex max_match=0 "(?<_name>\w+):(?<_value>.+?)(?=\s+\w+:|$)"
| streamstats count as _event 
| eval index=mvrange(0,mvcount(_name))
| mvexpand index
| eval _name=mvindex(_name,index)
| eval _value=mvindex(_value,index)
| eval {_name}=_value
| fields - _name _value index
| stats values(*) as * by _event
| fields - _event

Note that extract might not work depending on the consistency of pair delimiters and their inclusion in the value strings.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2021 07:35 AM

Here are two ideas:  rex command and extract command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2021 08:04 AM

The question asked for ideas, not for someone else to do the work.  😀  Did you at least look at the commands?

@ITWhisperer has shown the rex command.  Here is extract:

| extract pairdelim=" " kvdelim=":"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

prakashraja1999
Loves-to-Learn Everything
‎09-08-2021 07:46 AM

Kindly share the rex and extract commands

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...