How to extract value using KV pairs?

hraj05579 · ‎11-16-2019

Hello all,

How I can extra value from my event?

23-Oct-2019 08:07:23 <TestCase1>23</TestCase1>
23-Oct-2019 08:07:23    <TestCasePassed>234</TestCasePassed>

I want to display TestCase1= 23 TestCasePassed=234

Thanks in advance.

woodcock · ‎11-16-2019

Like this:

|makeresults | eval raw=" 23-Oct-2019 08:07:23 <TestCase1>23</TestCase1>:::23-Oct-2019 08:07:23 <TestCasePassed>234</TestCasePassed>"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."

| rex max_match=20 "<(?<key>[^\/][^>]+)>(?<value>.*?)<\/[^>]+>"
| eval _raw=mvzip(key, value, "=")
| kv

to4kawa · ‎11-16-2019

| makeresults
| eval raw="23-Oct-2019 08:07:23 <TestCase1>23</TestCase1>
23-Oct-2019 08:07:23    <TestCasePassed>234</TestCasePassed>"
| makemv delim="
" raw
| mvexpand raw
| rex field=raw "(?<time>^[^ ]+ [^ ]+) (?<_raw>.+)"
| eval _time=strptime(time,"%d-%b-%Y %H:%M:%S")
| table _time _raw
`comment("this is sample data")`
| spath

Hi, try spath command

How to extract value using KV pairs?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)