Solved: Complex kv extraction

mfscully · ‎12-17-2014

The DateTime and ServerName values are always there, but the kv pairs afterwards are variable.
I tried using the extract command but it sets $DateTime=$ServerName.
What's the best way to extract the kv pairs?

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

View solution in original post

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

Complex kv extraction

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Complex kv extraction

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience