Solved: How does splunk split field contents in dictionary...

Cathy · ‎01-05-2023

current splunk log:

user=a,ip=b,info={'gender':1,'Country':2},p=1,

target splunk table:

 user=a,ip=b,gender=1,Country=2,p=1,

ITWhisperer · ‎01-05-2023

Your log looks pretty standard and fields can be parsed into name/value pairs with the extract command. Then, your info field looks a bit like JSON only you have single quotes instead of double quotes. Your can switch these with the replace function, Then you can parse the (now correct) JSON field with the spath command

| extract
| eval info=replace(info,"'","\"")
| spath input=info

View solution in original post

ITWhisperer · ‎01-05-2023

Your log looks pretty standard and fields can be parsed into name/value pairs with the extract command. Then, your info field looks a bit like JSON only you have single quotes instead of double quotes. Your can switch these with the replace function, Then you can parse the (now correct) JSON field with the spath command

| extract
| eval info=replace(info,"'","\"")
| spath input=info

Cathy · ‎01-05-2023

Thank you for your answer. It works!

How does splunk split field contents in dictionary format?

regex

rex

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application