Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract Multiple Fields with Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to extract fields in the response field dynamically by using "<_KEY_1" "<_VAL_1>" in transforms.conf
response = "customer:{tel:123456} startpoint:{http://www.splunk.com} interfaceNumber:{1234} name:{abc}"
Ideally I want to generate fields as
response-customer-tel = 123456
response-startpoint = http://www.splunk.com
response-interfacenumber = 1234
response-name = abc
I have the following regex.
response=.+ (?<_KEY_1>\w+)\:\{(?<_VAL_1>.+)\}
I only get the last field "name" = "abc" extracted.
What is the best way to extract multi-fields dynamically by using KEY and VAL. (I don't know how many entries the response field has since each event can have a different number of entries in the response field).
I would also like to extract fields in a way that append "response" to each field so that it says response-name, response-interfacenumber and so on...
I learned that I can use "FIELDALIAS" to modify the field names from the previous question but is there anyway I can append "request" to the extracted fields automatically ?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to use this Regex:
(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}
I haven't tested in Splunk but tested in https://regex101.com/ and seems fine
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to use this Regex:
(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}
I haven't tested in Splunk but tested in https://regex101.com/ and seems fine
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the prompt answer.
This helped me to extract multiple fields. But can I also somehow append "req" to each field automatically ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
