Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can extract or kv command be limited to a spec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
recurse
New Member
12-27-2016
07:35 AM
It seems the extract/kv command uses _raw as input to do its parsing. Is there any way to pass a previously extracted field to it instead?
Given this sample event:
| stats count
| eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\""
I'm looking for something similar to:
| extract kvdelim=":" pairdelim="," input=messageToParse
to produce a table of:
key1 | key2 | key3
val1 | val2 | val3
Note: The number of kvps in messageToParse is greater than 50, so parsing them individually via regex is not suitable.
Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-27-2016
02:06 PM
One workaround is this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | rename _raw as temp messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | rename _raw as messageToParse | rename temp as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-27-2016
02:06 PM
One workaround is this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | rename _raw as temp messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | rename _raw as messageToParse | rename temp as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
recurse
New Member
12-28-2016
08:03 AM
Thanks for the reply - I saw something similar in another post as well I think. The trouble I had was finding a way to limit the results in the table/output to only the keys parsed from messageToParse, instead of including user,application, etc, without manually specifying each key to display.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-28-2016
08:16 AM
If in your final results, you only want to show keys which are included in messageToParse, they try like this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | table messageToParse| rename messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | fields - _raw
Get Updates on the Splunk Community!
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!
Discover how Splunk’s agentic AI ...
