Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple fields extraction

prakashraja1999
Loves-to-Learn Everything
‎09-08-2021 06:31 AM

.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 07:59 AM

 

| rex max_match=0 "(?<name>\w+):(?<value>.+?)(?=\s+\w+:|$)"

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2021 08:57 AM

This gives you two multi-value fields for the names and the values - if you want corresponding fields created for these, you could do something like this

| rex max_match=0 "(?<_name>\w+):(?<_value>.+?)(?=\s+\w+:|$)"
| streamstats count as _event 
| eval index=mvrange(0,mvcount(_name))
| mvexpand index
| eval _name=mvindex(_name,index)
| eval _value=mvindex(_value,index)
| eval {_name}=_value
| fields - _name _value index
| stats values(*) as * by _event
| fields - _event

Note that extract might not work depending on the consistency of pair delimiters and their inclusion in the value strings.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2021 07:35 AM

Here are two ideas:  rex command and extract command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2021 08:04 AM

The question asked for ideas, not for someone else to do the work.  😀  Did you at least look at the commands?

@ITWhisperer has shown the rex command.  Here is extract:

| extract pairdelim=" " kvdelim=":"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

prakashraja1999
Loves-to-Learn Everything
‎09-08-2021 07:46 AM

Kindly share the rex and extract commands

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...