Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract each key=value as a new field from a multikv field at search-time?

zeophlite
New Member
‎07-06-2016 03:13 AM

At search-time, I've been able to massage my data into a multikv field like so:
alt text

Is it possible to extract each key=value as a new field into my event, without specifying the key or the mvindex ?

i.e. , I can manually extract individual fields using a method like this:

| eval "Target type"=mvindex(kvpairs, 1)
| eval "Target name"=mvindex(kvpairs, 2)

But I don't know all possible key's beforehand (they are provided by a 3rd party system).

Preview file
1 KB
0 Karma
Reply

sundareshr
Legend
‎07-06-2016 05:33 AM

Have you tried the extract command. Something like this should work

.... | extract pairdelim="\n" kvdelim="=" | ...

http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/extract

Reply

zeophlite
New Member
‎07-06-2016 05:38 AM

Hi @sundareshr , extract only works on _raw , I want to run it on kvpairs , which is a multivalue field

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎07-06-2016 03:29 AM

Try this:

your base search here
| rex field=kvpairs max_match=0 "(?mi)(?<keyvalue>[^\n]+)"
| mvexpand keyvalue
| rex field=keyvalue "(?i)^(?<key>[^=]+)=(?<value>.*)$"
| eval {key} = value
| fields - kvpairs, keyvalue, key, value
| stats first(*) as * by _raw

Example:

| stats count | fields - count
| eval _raw = "
Host=iorsdb;Target type=Cluster Database;Target name=<a href=\"https://poem12.
"
| eval kvpairs = split(_raw, ";")
| rex field=kvpairs max_match=0 "(?mi)(?<keyvalue>[^\n]+)"
| mvexpand keyvalue
| rex field=keyvalue "(?i)^(?<key>[^=]+)=(?<value>.*)$"
| eval {key} = value
| fields - kvpairs, keyvalue, key, value
| stats first(*) as * by _raw
| fields - _raw

Output: see picture below

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

zeophlite
New Member
‎07-06-2016 04:06 AM

Is there a way to do this without the mvexpand ? I want to keep the raw events together, just augment them with additional fields

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎07-06-2016 04:19 AM

You can revert mvexpand afterwards with stats.
If you don't separate your kvfields into different events you can't use eval {key} = value in the right way.

Try without the mvexpand and see what happens.

As an alternative, give this a go:

your base search
| rex field=kvpairs max_match=0 "(?mi)(?<keyvalue>[^\n]+)"
| mvexpand keyvalue
| rex field=keyvalue "(?i)^(?<key>[^=]+)=(?<value>.*)$"
| eval {key} = value
| fields - keyvalue, key, value
| stats values(kvpairs) as kvpairs,  first(*) as * by _raw
0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...