Multiple fields extraction

prakashraja1999 · ‎09-08-2021

.

ITWhisperer · ‎09-08-2021

| rex max_match=0 "(?<name>\w+):(?<value>.+?)(?=\s+\w+:|$)"

ITWhisperer · ‎09-08-2021

This gives you two multi-value fields for the names and the values - if you want corresponding fields created for these, you could do something like this

| rex max_match=0 "(?<_name>\w+):(?<_value>.+?)(?=\s+\w+:|$)"
| streamstats count as _event 
| eval index=mvrange(0,mvcount(_name))
| mvexpand index
| eval _name=mvindex(_name,index)
| eval _value=mvindex(_value,index)
| eval {_name}=_value
| fields - _name _value index
| stats values(*) as * by _event
| fields - _event

Note that extract might not work depending on the consistency of pair delimiters and their inclusion in the value strings.

richgalloway · ‎09-08-2021

Here are two ideas: rex command and extract command.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-08-2021

The question asked for ideas, not for someone else to do the work. 😀 Did you at least look at the commands?

@ITWhisperer has shown the rex command. Here is extract:

| extract pairdelim=" " kvdelim=":"

---
If this reply helps you, Karma would be appreciated.

prakashraja1999 · ‎09-08-2021

Kindly share the rex and extract commands

Multiple fields extraction

field extraction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms