Splunk Search

How can I extract all key value between brackets (keys vary)?

indeed_2000
Motivator

Hi

I have a string like below, how can I extract all key value between brackets (keys vary)?

Arg[2]: NetworkPacket{trace='0'errCode=''dateTimeLocalTransaction='Mon May 30 00:00:00 IRDT 2022'dateTimeLocalTransactionTo='Mon May 30 23:59:59 USDT 2022'selectedTerminalTypes='[]'UDPApproveTermID='', dateEnd=null', referenceID='', selectedFlowTypeMaps=[]}

 

for above string out put like this:

trace=0

errCode=

dateTimeLocalTransaction=Mon May 30 00:00:00 USDT 2022

dateTimeLocalTransactionTo=Mon May 30 23:59:59 USDT 2022

selectedTerminalTypes=

UDPApproveTermID=

dateEnd=null

referenceID=

selectedFlowTypeMaps=

 

Thanks,

Labels (6)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @indeed_2000,

this seems to be a json log, so using the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) you should automatically extract the fields you need.

But anyway, you have pairs fieldname=fieldvalue and Splunk should automatically extract all fields.

But if you don't have nothing you can use one regex like this, but it's easy that it doesn't run:

| rex "trace\=\'(?<trace>[^\']*)\'errCode\=\'(?<err_code>[^\']*)\'dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)\'dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)\'selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)\'UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)\',\s+dateEnd\=(?<dateEnd>[^\']*)\',\s+referenceID\=\'(?<referenceID>[^\']*)\',\s+selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

You can test the regex at https://regex101.com/r/rE0lZK/1 

or you could use a regex for each field extraction, something like this:

| rex "trace\=\'(?<trace>[^\']*)"
| rex "errCode\=\'(?<err_code>[^\']*)"
| rex "dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)"
| rex "dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)"
| rex "selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)"
| rex "UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)"
| rex "dateEnd\=(?<dateEnd>[^\']*)"
| rex "referenceID\=\'(?<referenceID>[^\']*)"
| rex "selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

My hint is to use spath, if possible, otherwise  the last solution (separated regexes).

Ciao.

Giuseppe

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

There seems to be a mixture of delimiters and separators e.g. sometimes there is no space between on field value finishing and the next field key starting, other times, there is a comma and a space. Please can you share an accurate (but anonymised) version of the events you are dealing with in a code block </> so that the browser doesn't try and reformat it?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @indeed_2000,

this seems to be a json log, so using the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath) you should automatically extract the fields you need.

But anyway, you have pairs fieldname=fieldvalue and Splunk should automatically extract all fields.

But if you don't have nothing you can use one regex like this, but it's easy that it doesn't run:

| rex "trace\=\'(?<trace>[^\']*)\'errCode\=\'(?<err_code>[^\']*)\'dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)\'dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)\'selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)\'UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)\',\s+dateEnd\=(?<dateEnd>[^\']*)\',\s+referenceID\=\'(?<referenceID>[^\']*)\',\s+selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

You can test the regex at https://regex101.com/r/rE0lZK/1 

or you could use a regex for each field extraction, something like this:

| rex "trace\=\'(?<trace>[^\']*)"
| rex "errCode\=\'(?<err_code>[^\']*)"
| rex "dateTimeLocalTransaction\=\'(?<dateTimeLocalTransaction>[^\']*)"
| rex "dateTimeLocalTransactionTo\=\'(?<dateTimeLocalTransactionTo>[^\']*)"
| rex "selectedTerminalTypes\=\'(?<selectedTerminalTypes>[^\']*)"
| rex "UDPApproveTermID\=\'(?<UDPApproveTermID>[^\']*)"
| rex "dateEnd\=(?<dateEnd>[^\']*)"
| rex "referenceID\=\'(?<referenceID>[^\']*)"
| rex "selectedFlowTypeMaps\=(?<selectedFlowTypeMaps>[^\]]*)"

My hint is to use spath, if possible, otherwise  the last solution (separated regexes).

Ciao.

Giuseppe

indeed_2000
Motivator

I try spath and worked!
thanks

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...