Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract key/values from a string?

knielsen
Contributor
‎01-19-2016 03:49 AM

Hi,

Well, there must be a really easy answer for this, but I seem to be mentally blocked. 🙂

So if I have field after a search that contains a string with regular key/value syntax, but I don't know what keys will be there, how can I extract those keys into actual Splunk fields?

E.g.

... | eval bla="gc_bla=bla gc_hsg=1234 gc_foo=bar" | ...

How do I get gc_bla, gc_hsg and gc_foo as fields in Splunk that I can work with?

I figured out how to do it with extract and something in transforms.conf, but I expect there is a more straight forward way?

0 Karma
Reply

chimell
Motivator
‎01-19-2016 04:57 AM

hi knielsen
Use this search code to extract your field

    .......|rex field=bla    "\"gc_bla\=(?<field1>[\w+]+)\s+gc_hsg\=(?<field2>[\d+]+)\s+gc_foo=(?<field3>[\d+]+)\""|table field1 field2 field3

You can use this regex in you transform.conf file

0 Karma
Reply

knielsen
Contributor
‎01-19-2016 05:05 AM

I cannot use this kind of regex because "I don't know what keys will be there". Also, I cannot be sure of the order. Otherwise that would be the way to go.

0 Karma
Reply

javiergn
Super Champion
‎01-19-2016 04:28 AM

I would go for the props and transforms option.

Your transforms.conf can be something as simple as (you might need to improve the regex below by the way):

[mytransform]
REGEX  = \"(?<_KEY_1>\w+)=(?<_VAL_1>\w+)\"
FORMAT = $1::$2

And then in your props.conf

 [sourcetype BLA]
 ...
 REPORT-abc = mytransform

http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Transformsconf

Reply

knielsen
Contributor
‎01-19-2016 05:03 AM

That's almost exactly what I came up with already, but thinking that using transforms.conf would be overkill. 🙂 The key=value structure in the string is so simple that I was thinking there must be a way to this without this kind of configuration.

If there is no more generic way, I'll accept this later.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top