Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract multiple key value pairs within a raw field?

ameyapatil29
Explorer
‎11-06-2018 05:17 PM

Hello,

I want to extract key value pairs from logs that contain a particular search string.

Here is the example of the log
[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}

I want to extract the key value pairs with "kvdelim" as "=>" and "pairdelim" as ", " and name it as "id" for key & "value" for value.

The two characters in "kvdelim" and "pairdelim" are considered as XOR not a combined unit.

Thanks,
-Ameya

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-06-2018 05:31 PM

Like this (use this exact search to see if the values are what you want)?:

| makeresults
| eval data="[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}"
| rex field=data max_match=0 "(?<id>\d+)=>(?<value>\d+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-06-2018 05:31 PM

Like this (use this exact search to see if the values are what you want)?:

| makeresults
| eval data="[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}"
| rex field=data max_match=0 "(?<id>\d+)=>(?<value>\d+)"
Reply
Solved! Jump to solution

ameyapatil29
Explorer
‎11-07-2018 09:41 AM

Hello @cpetterborg, Thank you for replying to this query.

I had a similar rex query that I tried but it never extracts the values. My query was 

index="xxxx"  host="xxxxx" connection_counter | rex field=_raw "connection_counter {(?<community_id>\d*)=>(?<connection_count>\d*)}" 
|  rex field=_raw "\[(?P<thread_id>\d{14})\]" 
| timechart span=1m sum(connection_count)

This doesn't extract the different keys(community_id) and values(connection_count) associated with those keys.

0 Karma
Reply
Solved! Jump to solution

ameyapatil29
Explorer
‎11-07-2018 09:56 AM

Ah correction, adding max_match extracts those values perfectly fine, Thank you @cpetterborg!

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-07-2018 09:59 AM

I've moved the comment to an answer, so you can accept the answer if it has given you the answer that you need.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...