Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract dynamic key value pairs in mixed data from DB Connect app?

TangentTexan
New Member
‎08-09-2014 06:23 PM

I am indexing a string for the DBConnect where one of the fields stores a modified data in one of the cells.
In a sub part of a Log entry I am having a difficulty extracting the KV pairs. Where the previous parts of each log entry have the basic Key=Value on a line each, that is working. The part that is not is from the AllXML field - string= item.

  1. Starts with:
    string="
  2. Each key:value pair is separated with:
    :
  3. Additional Keys begin from:
    

  4. Additional Values end with:
    
  5. Stops with:
    "

Sample Log Entry:

AllXML=<error
    application="my application name"
    detail="whole bunch of stuff"
    time="2014-08-08T11:11:59.4225842Z"
    statusCode="500">   
<serverVariables>
        <item
          name="ALL_HTTP">
          <value    
    string="KEYNAME1:Value1 Value1,MoreValue1&#xD;&#xA;Key-Name2:Value2-Value2.Value2&#xD;&#xA;KEY-NAME3:true&#xD;&#xA;Key_Name4:Value4 ; Value4,Value4.Value4 - vvvvvvAAALLLLuuuueeeee44444&#xD;&#xA;" />

The OutPut should be, so that these items get indexed:

application="my application name"
detail="whole bunch of stuff
time=2014-08-08T11:11:59.4225842Z
statusCode=500
KEYNAME1=Value1
Key-Name2=Value2-Value2.Value2
KEY-NAME3=true
Key_Name4=Value4 ; Value4,Value4.Value4 - vvvvvvAAALLLLuuuueeeee44444

I know it should be through the transform.conf - but getting the regex to pull the data in has become difficult.
ant assistance would be appreciated.
Thanks,

0 Karma
Reply

somesoni2
Revered Legend
‎08-11-2014 12:48 PM

Try this

In props.conf

[YourSourceType]
REPORT-customkvtransform = customkvextract

In transforms.conf

[customkvextract]
CLEAN_KEYS = 1
FORMAT = $2::$3
MV_ADD = 0
REGEX = ([&#xA;]*)([^:]+):([^&]+)&#xD;
SOURCE_KEY = string
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...