How to extract data from quotation marks?

Lazous · ‎04-18-2023

Hello,
I am trying to extract the data from the following message:
the header data is in quotes and for each header data there is a set of secondary data also in quotes.
The events are presented as follows:

{Name=SS, PId=236}
PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}
PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00}
{Name=DAG, PId=55}
PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}

The following result is expected:

Name	PId	Type	Id	plan	Conflict	Date
SS	236	A_OUTGOING	7934	8975	2529	2023-04-18T18:51:00.000+02:00
SS	236	B_OUTGOING	7934	8975	72482	2023-04-18T18:51:00.000+02:00
DAG	55	B_INCOMING	7921	8975	64870	2023-04-18T18:51:00.000+02:00

Would you please help? Thanking you

woodcock · ‎04-18-2023

That data is JSON so the quick/easy/wrong fix is just to add this to your search:
| kv

But the better answer is to add this to your props.conf for your source/sourcetype:
KV_MODE = json

Lazous · ‎04-18-2023

i tried adding the | kv,

and i do not get all the data in the result set.

am not allowed to edit the props.conf

woodcock · ‎04-18-2023

| makeresults
| eval raw="{Name=SS, PId=236}
PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}
PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00} {Name=DAG, PId=55}
PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| kv

ITWhisperer · ‎04-18-2023

Given that this looks like it might be JSON, have you tried using spath?

Lazous · ‎04-18-2023

would you please specify how the command would look like in this case ?

How to extract data from quotation marks?

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!