I've managed to work out some regex to grab the data I want when using regex101 but I'm having trouble porting it into Splunk because Splunk also needs the correct intormation in the right place to name that extracted field I believe.
The data I've got looks like this:
And the regex that gets the values after the keys is:
The first two will have carriage returns at the end and that last one won't hence the different approach for that one.
I don't know where or what to add to get Splunk to call the first field Summary for example or Parts for the second as you can see.
I realise it's going to be something like in there somewhere but can't work out where.
So per above for the summary for example.
The raw data is:
"#summary project x"
I would like to end up with a field named Summary and a value of project x
In regex101 (?<=#summary)\s(.?)[\r\n] retrieves the value "project x"
Actually, also. I'm trying to find the field after the work summary so it might not be project x but anything after the string of #summary and up to the carriage return at the end of the line.
| makeresults | eval sample="#summary project x #parts 1 a part #person1 4 #person2 #invoice" | makemv delim=" " sample | mvexpand sample | rex field=sample "#(?<field_name>[^\s]+)( (?<value>.+))?" | fillnull value value="N/A" | eval value="\"".value."\"" | eval raw=mvzip(field_name,value,"=") | stats count by raw | rename raw as _raw | kv
N/A where there is no value.
That is a cool search and extraction thanks to4kawa. I'll definitely be able to use something like that in my project. As mentioned though I do want to extract these fields when the data comes in so I've got them ready to work with within my app. So I want to be able to go into field extractions and create the extraction in there. What I can't find documentation on is changing the regex that extracts the data into splunk regex that extracts it and then applies it to a field name. Like doing this bit but in the fields extraction creation section of the splunk gui - #(?[^\s]+)( (?.+))? - that obviously assigns the value to the field_name.