How to extract key/values from a string?

knielsen · ‎01-19-2016

Hi,

Well, there must be a really easy answer for this, but I seem to be mentally blocked. 🙂

So if I have field after a search that contains a string with regular key/value syntax, but I don't know what keys will be there, how can I extract those keys into actual Splunk fields?

E.g.

... | eval bla="gc_bla=bla gc_hsg=1234 gc_foo=bar" | ...

How do I get gc_bla, gc_hsg and gc_foo as fields in Splunk that I can work with?

I figured out how to do it with extract and something in transforms.conf, but I expect there is a more straight forward way?

chimell · ‎01-19-2016

hi knielsen
Use this search code to extract your field

    .......|rex field=bla    "\"gc_bla\=(?<field1>[\w+]+)\s+gc_hsg\=(?<field2>[\d+]+)\s+gc_foo=(?<field3>[\d+]+)\""|table field1 field2 field3

You can use this regex in you transform.conf file

knielsen · ‎01-19-2016

I cannot use this kind of regex because "I don't know what keys will be there". Also, I cannot be sure of the order. Otherwise that would be the way to go.

javiergn · ‎01-19-2016

I would go for the props and transforms option.

Your transforms.conf can be something as simple as (you might need to improve the regex below by the way):

[mytransform]
REGEX  = \"(?<_KEY_1>\w+)=(?<_VAL_1>\w+)\"
FORMAT = $1::$2

And then in your props.conf

 [sourcetype BLA]
 ...
 REPORT-abc = mytransform

http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Transformsconf

knielsen · ‎01-19-2016

That's almost exactly what I came up with already, but thinking that using transforms.conf would be overkill. 🙂 The key=value structure in the string is so simple that I was thinking there must be a way to this without this kind of configuration.

If there is no more generic way, I'll accept this later.

How to extract key/values from a string?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms