Hey Splunkers!
I have several events from a particular index, and am looking to extract field value pair from one of the fields.
Sample event:
Description | Type |
Attribute: environment=PROD\nAttribute: severity=MAJOR\nAttribute: time_ins=2020-11-30T17:45:33\nAttribute: affected_aspect=Exit\nAttribute: plane=Prod\nAttribute: workflow_state=New | ALERT |
I need each of these attributes as another column in the search.
environment | severity | time_ins | affected_aspect | plane | workflow_state | Type |
prod | MAJOR | 2020-11-30T17:45:33 | Exit | Prod | New | ALERT |
Can someone please guide me?
Thank you!
The process is a bit convoluted since the extract command only works on the _raw field. Here is an example
| makeresults | eval description="Attribute: environment=PROD\nAttribute: severity=MAJOR\nAttribute: time_ins=2020-11-30T17:45:33\nAttribute: affected_aspect=Exit\nAttribute: plane=Prod\nAttribute: workflow_state=New"
```The above just sets up test data```
| rename _raw as old_raw, description as _raw
| rex mode=sed s/\\\nAttribute://g
| extract pairdelim="\\" kvdelim="="
| rename _raw as description, old_raw as _raw
This is exactly what i was looking for!
Thanks a lot.
The process is a bit convoluted since the extract command only works on the _raw field. Here is an example
| makeresults | eval description="Attribute: environment=PROD\nAttribute: severity=MAJOR\nAttribute: time_ins=2020-11-30T17:45:33\nAttribute: affected_aspect=Exit\nAttribute: plane=Prod\nAttribute: workflow_state=New"
```The above just sets up test data```
| rename _raw as old_raw, description as _raw
| rex mode=sed s/\\\nAttribute://g
| extract pairdelim="\\" kvdelim="="
| rename _raw as description, old_raw as _raw