Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract data from quotation marks?

Lazous
Engager
‎04-18-2023 08:44 AM

Hello, 
I am trying to extract the data from the following message:
the header data is in quotes and for each header data there is a set of secondary data also in quotes.
The events are presented as follows:

{Name=SS, PId=236}
PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}
PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00}
{Name=DAG, PId=55}
PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}

The following result is expected:

Name   PId  Type  Id  plan Conflict  Date
SS 236 A_OUTGOING 7934 8975 2529 2023-04-18T18:51:00.000+02:00
SS 236 B_OUTGOING 7934 8975 72482 2023-04-18T18:51:00.000+02:00
DAG 55 B_INCOMING 7921 8975 64870 2023-04-18T18:51:00.000+02:00

 

Would you please help? Thanking you

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-18-2023 10:31 AM

That data is JSON so the quick/easy/wrong fix is just to add this to your search:
| kv

But the better answer is to add this to your props.conf for your source/sourcetype:
KV_MODE = json

0 Karma
Reply

Lazous
Engager
‎04-18-2023 11:31 AM

i tried adding the | kv,

and i do not get all the data  in the result set.

am not allowed to edit the  props.conf

0 Karma
Reply

woodcock
Esteemed Legend
‎04-18-2023 11:43 AM

| makeresults
| eval raw="{Name=SS, PId=236}
PROD {Type=A_OUTGOING, Id=7934,plan=8975, Conflict=2529, Date=2023-04-18T18:51:00.000+02:00}
PROD {Type=B_OUTGOING, Id=7934, plan=8975, Conflict=72482, Date=2023-04-18T18:51:00.000+02:00} {Name=DAG, PId=55}
PROD {Type=B_INCOMING, Id=7921, plan=8975, Conflict=64870, Date=2023-04-18T18:51:00.000+02:00}"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| kv

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-18-2023 10:25 AM

Given that this looks like it might be JSON, have you tried using spath?

0 Karma
Reply

Lazous
Engager
‎04-18-2023 11:32 AM

would you please specify how the command would look like in this case ? 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...