Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction for Unstructured Quotation/Pair delimiter

SplunkDash
Motivator
‎09-21-2021 08:53 PM

Hello,

How, I would  write the regex for the  following events (3 sample events provided below). It has "," pair delimiter, but " (quotation) are missing  for one value (cit, shown in Bold) for some events. Any help will be highly appreciated, thank you.

"time_stamp":"2021-08-21 16:27:06 CDT","app_name":"CT-SATCUP","user_type":"TFilter","file_source_cd":"1","TFilterType":"0","ip_addr":"2300:1700:5c08:1030:6d93:7462:b15d:185c","session_id":"k/NJGhc8dU3OtYoRsrJ+pQzDdYE=","cit":"23235672174,"request_id":"32as3eee0a-0a31-6214a4e28-7e7fc700-6d792b5b203e","user_id":"cit1ddf82-bf36-40ca-84ae-7964b5680564","return_cd":"00","event_type":"SATCUP"  

"time_stamp":"2021-08-21 16:27:05 CDT","app_name":"CT-SATCUP","user_type":"TFilter","file_source_cd":"1","TFilterType":"0","ip_addr":"2400:1700:5c08:1030:6d93:9462:b15d:185c","session_id":"k/NJGhc8dU3OtYoRsrJ+pQzDdYE=","cit":"232356756174","request_id":"31as3eee0a-0a31-6214a4e28-7e7fc700-6d792b5b203e","user_id":"cit1ddf82-bf36-40ca-84ae-7964b5680564","return_cd":"01","event_type":"SATCUP"  

"time_stamp":"2021-08-21 16:27:08 CDT","app_name":"CT-SATCUP","user_type":"TFilter","file_source_cd":"4","TFilterType":"0","ip_addr":"2100:1700:5c08:1030:6r93:7462:b15d:185c","session_id":"k/NJGhc8dU3OtYoRsrJ+pQzDdYE=","cit":"232356756174,"request_id":"31bs3eee0a-0a31-6214a4e28-7e7fc700-6d792b5b203e","user_id":"cit1ddf82-bf36-40ca-84ae-7964b5680564","return_cd":"01","event_type":"SATCUP" 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-21-2021 11:11 PM

You can simply look for a field name in quotes and value not containing comma or quotation mark in possible quotes. Something like that

"(?<field_name>[^"]+)":"?(<?field_value>[^",]+)"?

 EDIT: Watch out, there is indeed a typo here.

Reply

SplunkDash
Motivator
‎09-22-2021 06:16 AM

Hello,

Thank you so much for the Regex codes you provided. Two points with this code

1. Field Names and Associated Field Values are coming under different groups

2. All  Field Names are coming as "field_ name"

is there anyway we can pick the field_name from the events (i.e. time_stamp, app_name and so on)  and put/keep associated field name and its field value together 

Thank you again, appreciate your support in these efforts.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-22-2021 06:46 AM

If you want dynamic field names, you might try something similar to this solution:

https://community.splunk.com/t5/Splunk-Search/How-to-extract-values/m-p/461411

Reply

SplunkDash
Motivator
‎09-22-2021 07:09 AM

Thank you again, appreciated. But, just a little confused how I would incorporate this dynamic field names and associated field values selection code under this field extraction option/feature (see below the screenshot). Your support will be appreciated.....Thank you so much!!!

 

malekmo_0-1632319718422.png

 

  

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-22-2021 12:18 PM

Ahhh, that's kinda different. The solution I pointed you to was about parsing explicitly in your search. If you want to define such extraction as extracted fields - to be honest, I haven't done it using GUI but I suppose you have to define it using transforms (settings -> fields -> field transformations) with regex containing

"(?<_KEY_1>[^"]+)":"?(<?_VAL_1>[^",]+)"

And no Format

And then define field extraction using this transformation (change type from "inline" to "uses transformation")

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-22-2021 12:08 AM

@PickleRick,

There is a typo on second capture group;

"(?<field_name>[^"]+)":"?(?<field_value>[^",]+)"?
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-22-2021 03:02 AM

You're right. I was typing it on my tablet 🙂

Nice catch!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...