Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can extract or kv command be limited to a spec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
recurse
New Member
12-27-2016
07:35 AM
It seems the extract/kv command uses _raw as input to do its parsing. Is there any way to pass a previously extracted field to it instead?
Given this sample event:
| stats count
| eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\""
I'm looking for something similar to:
| extract kvdelim=":" pairdelim="," input=messageToParse
to produce a table of:
key1 | key2 | key3
val1 | val2 | val3
Note: The number of kvps in messageToParse is greater than 50, so parsing them individually via regex is not suitable.
Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-27-2016
02:06 PM
One workaround is this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | rename _raw as temp messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | rename _raw as messageToParse | rename temp as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-27-2016
02:06 PM
One workaround is this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | rename _raw as temp messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | rename _raw as messageToParse | rename temp as _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
recurse
New Member
12-28-2016
08:03 AM
Thanks for the reply - I saw something similar in another post as well I think. The trouble I had was finding a way to limit the results in the table/output to only the keys parsed from messageToParse, instead of including user,application, etc, without manually specifying each key to display.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-28-2016
08:16 AM
If in your final results, you only want to show keys which are included in messageToParse, they try like this
| gentimes start=-1 | eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\"" | table _raw | extract | table messageToParse| rename messageToParse as _raw | extract kvdelim=":=" pairdelim=", " | fields - _raw
Get Updates on the Splunk Community!
Your Guide to Splunk Digital Experience Monitoring
A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
