Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Multiple Fields with Regex

ryoji_solsys
Explorer
‎12-04-2014 06:01 PM

I would like to extract fields in the response field dynamically by using "<_KEY_1" "<_VAL_1>" in transforms.conf

response = "customer:{tel:123456} startpoint:{http://www.splunk.com} interfaceNumber:{1234} name:{abc}"

Ideally I want to generate fields as

response-customer-tel = 123456
response-startpoint = http://www.splunk.com
response-interfacenumber = 1234 
response-name = abc

I have the following regex.

response=.+ (?<_KEY_1>\w+)\:\{(?<_VAL_1>.+)\}

I only get the last field "name" = "abc" extracted.

What is the best way to extract multi-fields dynamically by using KEY and VAL. (I don't know how many entries the response field has since each event can have a different number of entries in the response field).
I would also like to extract fields in a way that append "response" to each field so that it says response-name, response-interfacenumber and so on...
I learned that I can use "FIELDALIAS" to modify the field names from the previous question but is there anyway I can append "request" to the extracted fields automatically ?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎12-04-2014 06:25 PM

Try to use this Regex:

(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}

I haven't tested in Splunk but tested in https://regex101.com/ and seems fine

Cheers

View solution in original post

Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎12-04-2014 06:25 PM

Try to use this Regex:

(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}

I haven't tested in Splunk but tested in https://regex101.com/ and seems fine

Cheers

Reply
Solved! Jump to solution

ryoji_solsys
Explorer
‎12-04-2014 07:01 PM

Thanks for the prompt answer.
This helped me to extract multiple fields. But can I also somehow append "req" to each field automatically ?

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...