Solved: How to extract a list of quoted key value pairs wh...

prcough · ‎07-31-2019

Hello,

I am attempting to figure out how to extract the following example event for all fields (the real event has ~30 fields but these show all use cases).

{'start_time': '2019-07-30 15:19:20', 'duration': '2', 'ip': '192.168.1.1', 'mac': '00:00:00:00:00:00', 'source': 'open source'}

I started my attempts with delimiters I found through some googling,

transforms.conf
[my_sourcetype]
DELIMS = "\"{,}", ": "

With this in place the event would have duration and IP extracted, but not mac, source, or start_time.

Any help is appreciated.

jnudell_2 · ‎07-31-2019

You're missing the command to allow multiple values:



transforms.conf

[my_sourcetype]

DELIMS = "\"{,}", ": "

MV_ADD = true

You could also try:



[my_sourcetype]

REGEX = '([^']+)': '([^']+)'

FORMAT = $1::$2

MV_ADD = true

jnudell_2 · ‎07-31-2019

You're missing the command to allow multiple values:



transforms.conf

[my_sourcetype]

DELIMS = "\"{,}", ": "

MV_ADD = true

You could also try:



[my_sourcetype]

REGEX = '([^']+)': '([^']+)'

FORMAT = $1::$2

MV_ADD = true

How to extract a list of quoted key value pairs when some values have spaces?