Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Fields Extraction

kunalsingh
Engager
‎04-24-2025 03:46 AM

I have used this regex -

\^([^=]+)=([^^]*)
Apr 23 21:43:22 3.111.9.101 CEF:0|Seqrite|EPS|5.2.1.0|Data Loss Prevention Event|^|channelType=Applications/Online Services^domainName=AVOTRIXLABS^endpointName=ALEI5-ANURAGR^groupName=Default^channelDetail=Microsoft OneDrive Client^documentName=^filePath=C:\Users\anurag.rathore.AVOTRIXLABS\OneDrive - Scanlytics Technology\Documents\git\splunk_prod\deployment-apps\Fleet_Management_Dashboard\appserver\static\fontawesome-free-6.1.1-web\svgs\solid\flask-vial.svg^macID1=9C-5A-44-0A-26-5B^status=Success^subject=^actionId=Skipped^printerName=^recipientList=^serverDateTime=Wed Apr 23 16:13:57 UTC 2025^matchedItem=Visa^sender=^contentType=Confidential Data^dataId=Client Application^incidentOn=Wed Apr 23 16:07:38 UTC 2025^ipAddressFromClient=***.***.*.16^macID2=00-FF-58-34-31-0E^macID3=B0-FC-36-CA-1C-73^userName=anurag.rathore 

it is able to extract all field correctly Except a few fields .
Here documentName should be empty but it is showing this on search time.image.png 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-26-2025 02:13 PM

Hi @kunalsingh 

Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.

==props.conf==
[your_sourcetype]
# Replace your_sourcetype with the actual sourcetype of your data
REPORT-kv_pairs = extract_custom_kv

==transforms.conf==
[extract_custom_kv]
REGEX = ([^=\^]+)=([^\^]*)
FORMAT = $1::$2
MV_ADD = true

This configuration defines a field extraction named extract_custom_kv.

  • REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.
  • ([^=\^]+) captures the key (any character except = or ^).
  • = matches the literal equals sign.
  • ([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.
  • FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.
  • MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.

Check a working example at https://regex101.com/r/yAjRVa/1

This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\]), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2025 12:41 AM

Hi @kunalsingh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-26-2025 02:13 PM

Hi @kunalsingh 

Use a REPORT transform in props.conf and transforms.conf to define the field extractions based on your delimiters.

==props.conf==
[your_sourcetype]
# Replace your_sourcetype with the actual sourcetype of your data
REPORT-kv_pairs = extract_custom_kv

==transforms.conf==
[extract_custom_kv]
REGEX = ([^=\^]+)=([^\^]*)
FORMAT = $1::$2
MV_ADD = true

This configuration defines a field extraction named extract_custom_kv.

  • REGEX = ([^=\^]+)=([^\^]*): This regular expression finds key-value pairs separated by =.
  • ([^=\^]+) captures the key (any character except = or ^).
  • = matches the literal equals sign.
  • ([^\^]*) captures the value (any character except ^, including an empty string). This correctly handles fields like documentName= where the value is empty.
  • FORMAT = $1::$2: This assigns the captured key (group 1) and value (group 2) to a Splunk field.
  • MV_ADD = true: Ensures that if multiple key-value pairs are found in a single event, they are all extracted.

Check a working example at https://regex101.com/r/yAjRVa/1

This method correctly identifies the ^ character as the delimiter between pairs and = as the separator within a pair, handling empty values appropriately. The regex you provided, ^([^=]+)=([^^\]), likely failed because the ^ anchor restricts it to the start of the string, and the character class [^^\*] might not behave as expected compared to [^\^].

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-26-2025 09:21 AM

Hi @kunalsingh ,

please try this:

\^([^\=]+)=([^\^]*)

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...