Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Fields Extraction

kunalsingh
Engager
‎04-24-2025 03:46 AM

I have used this regex -

\^([^=]+)=([^^]*)
Apr 23 21:43:22 3.111.9.101 CEF:0|Seqrite|EPS|5.2.1.0|Data Loss Prevention Event|^|channelType=Applications/Online Services^domainName=AVOTRIXLABS^endpointName=ALEI5-ANURAGR^groupName=Default^channelDetail=Microsoft OneDrive Client^documentName=^filePath=C:\Users\anurag.rathore.AVOTRIXLABS\OneDrive - Scanlytics Technology\Documents\git\splunk_prod\deployment-apps\Fleet_Management_Dashboard\appserver\static\fontawesome-free-6.1.1-web\svgs\solid\flask-vial.svg^macID1=9C-5A-44-0A-26-5B^status=Success^subject=^actionId=Skipped^printerName=^recipientList=^serverDateTime=Wed Apr 23 16:13:57 UTC 2025^matchedItem=Visa^sender=^contentType=Confidential Data^dataId=Client Application^incidentOn=Wed Apr 23 16:07:38 UTC 2025^ipAddressFromClient=***.***.*.16^macID2=00-FF-58-34-31-0E^macID3=B0-FC-36-CA-1C-73^userName=anurag.rathore 

it is able to extract all field correctly Except a few fields .
Here documentName should be empty but it is showing this on search time.image.png 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-26-2025 02:13 PM

Hi @kunalsingh 

Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.

==props.conf==
[your_sourcetype]
# Replace your_sourcetype with the actual sourcetype of your data
REPORT-kv_pairs = extract_custom_kv

==transforms.conf==
[extract_custom_kv]
REGEX = ([^=\^]+)=([^\^]*)
FORMAT = $1::$2
MV_ADD = true

This configuration defines a field extraction named extract_custom_kv.

  • REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.
  • ([^=\^]+) captures the key (any character except = or ^).
  • = matches the literal equals sign.
  • ([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.
  • FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.
  • MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.

Check a working example at https://regex101.com/r/yAjRVa/1

This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\]), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2025 12:41 AM

Hi @kunalsingh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-26-2025 02:13 PM

Hi @kunalsingh 

Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.

==props.conf==
[your_sourcetype]
# Replace your_sourcetype with the actual sourcetype of your data
REPORT-kv_pairs = extract_custom_kv

==transforms.conf==
[extract_custom_kv]
REGEX = ([^=\^]+)=([^\^]*)
FORMAT = $1::$2
MV_ADD = true

This configuration defines a field extraction named extract_custom_kv.

  • REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.
  • ([^=\^]+) captures the key (any character except = or ^).
  • = matches the literal equals sign.
  • ([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.
  • FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.
  • MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.

Check a working example at https://regex101.com/r/yAjRVa/1

This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\]), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-26-2025 09:21 AM

Hi @kunalsingh ,

please try this:

\^([^\=]+)=([^\^]*)

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...