Solved: Complex kv extraction

mfscully · ‎12-17-2014

The DateTime and ServerName values are always there, but the kv pairs afterwards are variable.
I tried using the extract command but it sets $DateTime=$ServerName.
What's the best way to extract the kv pairs?

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

View solution in original post

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

Complex kv extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation