Solved: How to extract key-value pairs from log and visual...

arnavkumarsaxen · ‎04-19-2022

My logs are in the format:

My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121

I currently use query:

index="myindex" "My-Application Log:" | extract pairdelim=", " kvdelim="= " | table Some-Key SomeOtherKey SomeOtherKey2 "Some Different Key" "Another Key"

It is able to extract events however the table is filled with blank/null values.

How can i visualise the data if i have this format of logs.

I have to group by Some-key.

Example visualization should be grouped basis Some-key

Thanks in advance.

ITWhisperer · ‎04-19-2022

| makeresults
| eval _raw="My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121"
``` use rex to extract kv pairs ```
| rex max_match=0 "(?<namevalue>\w[\w\s\-]+=\s[^,]+)"
``` streamstats to tag each event so that the fields can be gathered together ```
| streamstats count as _row
``` expand the kv pairs to separate events ``` 
| mvexpand namevalue
``` split names and values ```
| rex field=namevalue "(?<_name>[^=]+)\=\s(?<_value>.*)"
| fields - namevalue
``` create new fields for each name with corresponding value ```
| eval {_name}=_value
``` gather fields back to original events ```
| stats values(_time) as _time values(*) as * by _row

View solution in original post

ITWhisperer · ‎04-19-2022

| makeresults
| eval _raw="My-Application Log: Some-Key= 99, SomeOtherKey= 231, SomeOtherKey2= 1231, Some Different Key= 0, Another Key= 121"
``` use rex to extract kv pairs ```
| rex max_match=0 "(?<namevalue>\w[\w\s\-]+=\s[^,]+)"
``` streamstats to tag each event so that the fields can be gathered together ```
| streamstats count as _row
``` expand the kv pairs to separate events ``` 
| mvexpand namevalue
``` split names and values ```
| rex field=namevalue "(?<_name>[^=]+)\=\s(?<_value>.*)"
| fields - namevalue
``` create new fields for each name with corresponding value ```
| eval {_name}=_value
``` gather fields back to original events ```
| stats values(_time) as _time values(*) as * by _row

arnavkumarsaxen · ‎04-19-2022

Works for me. However, i am new to splunk and i might have a small question.

The value from the last field contains \n" and sometimes \n"}

How to remove this as well.

ITWhisperer · ‎04-19-2022

Try it like this

| rex max_match=0 "(?<namevalue>\w[\w\s\-]+=\s[^,\n\}]+)"

arnavkumarsaxen · ‎04-19-2022

Values still coming in this way

ITWhisperer · ‎04-19-2022

Assuming you don't want anything after (and including) a backslash, try this:

| rex max_match=0 "(?<namevalue>\w[\w\s\-]+=\s[^,\\\\]+)(?=\\\\)?"

arnavkumarsaxen · ‎04-19-2022

Thanks a lot. It worked.

How to extract key-value pairs from log and visualize them

chart

field extraction

fields

lookup

regex

rex

stats

subsearch

table

timechart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to extract key-value pairs from log and visualize them

Can’t make it to .conf25? Join us online!