Splunk Search

How do you extract multiple key value pairs within a raw field?

ameyapatil29
Explorer

Hello,

I want to extract key value pairs from logs that contain a particular search string.

Here is the example of the log
[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}

I want to extract the key value pairs with "kvdelim" as "=>" and "pairdelim" as ", " and name it as "id" for key & "value" for value.

The two characters in "kvdelim" and "pairdelim" are considered as XOR not a combined unit.

Thanks,
-Ameya

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

Like this (use this exact search to see if the values are what you want)?:

| makeresults
| eval data="[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}"
| rex field=data max_match=0 "(?<id>\d+)=>(?<value>\d+)"

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Like this (use this exact search to see if the values are what you want)?:

| makeresults
| eval data="[INFO ] [2018-11-07 01:06:16 +0000] [69919359600740] connection_counter {22=>2, 29=>3, 16=>5, 21=>3, 14=>3}"
| rex field=data max_match=0 "(?<id>\d+)=>(?<value>\d+)"

ameyapatil29
Explorer

Hello @cpetterborg, Thank you for replying to this query.

I had a similar rex query that I tried but it never extracts the values. My query was

index="xxxx"  host="xxxxx" connection_counter | rex field=_raw "connection_counter {(?<community_id>\d*)=>(?<connection_count>\d*)}" 
|  rex field=_raw "\[(?P<thread_id>\d{14})\]" 
| timechart span=1m sum(connection_count)

This doesn't extract the different keys(community_id) and values(connection_count) associated with those keys.

0 Karma

ameyapatil29
Explorer

Ah correction, adding max_match extracts those values perfectly fine, Thank you @cpetterborg!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've moved the comment to an answer, so you can accept the answer if it has given you the answer that you need.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...