Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with field extraction with complex events

SplunkDash
Motivator
‎07-24-2022 01:46 PM

Hello,

I have some issues with the field extraction for the following event (one sample event given below). Any recommendations will be highly appreciated. Thank you!

Sample Event

{

"time":"2022-07-01T10:44:16.230-05:10","@ver":"21","type":"track","DSTEST":"true","msg":"{\"timeStamp\":"2021-08-22T19:53:36.123+0000\",\"appName\":"wins\",\"userType\":"admin\",\"StatCd\":null,\"dollarAmt\":null,\"errorMsg\":null,\"eId\":"VIEW_BALANCE\",\"eventType\":"VIEW\",\"SourceCd\":"01\",\"ipAddr\":"127.0.0.13\",\"mftCd\":null,\"outputCd\":null,\"pNum\":null,\"rCd\":null,\"rtCd\":"03\",\"sId\":"48c42153-9cba2-42345-8faf-b57fb60fba6b\",\"tP\":null,\"empCode\":"234ass23\",\"empType\":"09\",\"uId\":"2350066750a0\",\"vd\":{}}"}

Labels (3)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2022 05:07 PM

What "issues" are you having?  What have you tried so far?  What were the results of those attempts?  What results do you expect?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkDash
Motivator
‎07-24-2022 06:07 PM

Hello,

Thank you so much for your quick response.

Objective is to extract Key Value pairs and

I was trying to use this code

time"\:"(?P<Time_Stamp>.+)","\@ver"\:"(?P<Ver>\d+)","type"\:"(?<Type>\w+)",

to extract each of the key value pairs. it not working as expected since some cases Key doesn't have corresponding Value...like following event doesn't have Value for type

{

{

"time":"2022-07-01T10:44:16.230-05:10","@ver":"21","type":"","DSTEST":"true","msg":"{\"timeStamp\":"2021-08-22T19:53:36.123+0000\",\"appName\":"wins\",\"userType\":"admin\",\"StatCd\":null,\"dollarAmt\":null,\"errorMsg\":null,\"eId\":"VIEW_BALANCE\",\"eventType\":"VIEW\",\"SourceCd\":"01\",\"ipAddr\":"127.0.0.13\",\"mftCd\":null,\"outputCd\":null,\"pNum\":null,\"rCd\":null,\"rtCd\":"03\",\"sId\":"48c42153-9cba2-42345-8faf-b57fb60fba6b\",\"tP\":null,\"empCode\":"234ass23\",\"empType\":"09\",\"uId\":"2350066750a0\",\"vd\":{}}"}

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2022 08:07 AM

All of the keys have values, but some of the values are empty.  We can do that in a regex, but using * rather than + as the quantifier.

time":"(?P<Time_Stamp>.+)","@ver":"(?P<Ver>\d+)","type":"(?<Type>\w*)",

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...