Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with field extraction with complex events

SplunkDash
Motivator
‎07-24-2022 01:46 PM

Hello,

I have some issues with the field extraction for the following event (one sample event given below). Any recommendations will be highly appreciated. Thank you!

Sample Event

{

"time":"2022-07-01T10:44:16.230-05:10","@ver":"21","type":"track","DSTEST":"true","msg":"{\"timeStamp\":"2021-08-22T19:53:36.123+0000\",\"appName\":"wins\",\"userType\":"admin\",\"StatCd\":null,\"dollarAmt\":null,\"errorMsg\":null,\"eId\":"VIEW_BALANCE\",\"eventType\":"VIEW\",\"SourceCd\":"01\",\"ipAddr\":"127.0.0.13\",\"mftCd\":null,\"outputCd\":null,\"pNum\":null,\"rCd\":null,\"rtCd\":"03\",\"sId\":"48c42153-9cba2-42345-8faf-b57fb60fba6b\",\"tP\":null,\"empCode\":"234ass23\",\"empType\":"09\",\"uId\":"2350066750a0\",\"vd\":{}}"}

Labels (3)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2022 05:07 PM

What "issues" are you having?  What have you tried so far?  What were the results of those attempts?  What results do you expect?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkDash
Motivator
‎07-24-2022 06:07 PM

Hello,

Thank you so much for your quick response.

Objective is to extract Key Value pairs and

I was trying to use this code

time"\:"(?P<Time_Stamp>.+)","\@ver"\:"(?P<Ver>\d+)","type"\:"(?<Type>\w+)",

to extract each of the key value pairs. it not working as expected since some cases Key doesn't have corresponding Value...like following event doesn't have Value for type

{

{

"time":"2022-07-01T10:44:16.230-05:10","@ver":"21","type":"","DSTEST":"true","msg":"{\"timeStamp\":"2021-08-22T19:53:36.123+0000\",\"appName\":"wins\",\"userType\":"admin\",\"StatCd\":null,\"dollarAmt\":null,\"errorMsg\":null,\"eId\":"VIEW_BALANCE\",\"eventType\":"VIEW\",\"SourceCd\":"01\",\"ipAddr\":"127.0.0.13\",\"mftCd\":null,\"outputCd\":null,\"pNum\":null,\"rCd\":null,\"rtCd\":"03\",\"sId\":"48c42153-9cba2-42345-8faf-b57fb60fba6b\",\"tP\":null,\"empCode\":"234ass23\",\"empType\":"09\",\"uId\":"2350066750a0\",\"vd\":{}}"}

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2022 08:07 AM

All of the keys have values, but some of the values are empty.  We can do that in a regex, but using * rather than + as the quantifier.

time":"(?P<Time_Stamp>.+)","@ver":"(?P<Ver>\d+)","type":"(?<Type>\w*)",

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...