Solved: How does splunk split field contents in dictionary...

Cathy · ‎01-05-2023

current splunk log:

user=a,ip=b,info={'gender':1,'Country':2},p=1,

target splunk table:

 user=a,ip=b,gender=1,Country=2,p=1,

ITWhisperer · ‎01-05-2023

Your log looks pretty standard and fields can be parsed into name/value pairs with the extract command. Then, your info field looks a bit like JSON only you have single quotes instead of double quotes. Your can switch these with the replace function, Then you can parse the (now correct) JSON field with the spath command

| extract
| eval info=replace(info,"'","\"")
| spath input=info

View solution in original post

ITWhisperer · ‎01-05-2023

Your log looks pretty standard and fields can be parsed into name/value pairs with the extract command. Then, your info field looks a bit like JSON only you have single quotes instead of double quotes. Your can switch these with the replace function, Then you can parse the (now correct) JSON field with the spath command

| extract
| eval info=replace(info,"'","\"")
| spath input=info

Cathy · ‎01-05-2023

Thank you for your answer. It works!

How does splunk split field contents in dictionary format?

regex

rex

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms