- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use the extract command for a field ext...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use the extract command for a field extraction of key value pairs?
having some time trying to extract fields automaticaly from the message below.
really wanted to test out the xtract before putting into a transforms / props etc.
So tried to use the extract command on the event below ** extract kvdelim=; pairdelim=: ** and this one ** extract kvdelim=; pairdelim=": " **
As most of the KV are framed with ; and the values are noted by : but no luck at all
I think it is due to the the KV pairs are enclosed in quotes and it looks that this throws off the extractor ...
Nov 26 12:02:51 172.255.255.253 Verdict-Clean: "File Name:ie6.0sp1-kb958869-windows2000-x; Job ID:1417021278808146; SHA256:73a0db29059f81adbbe1c620c132bec58b6fe7efd8c0ce973595ac6ea346a8e6; Rating:Clean; Scan Time: 90 (seconds); Malware Name:N/A; Source IP:172.23.98.229; Destination IP:8.254.230.174; Send Over:HTTP; Device:FG100D3G14800455(FG100D3G14800455:root); "
Also tried to do a rex to pull out the fields .. and that seems to work but as the KV can change postions the name never line up correctly so thus losing the KV pairs?
So was thinking that you could run a extract command on a field ... i.e. use rex to extract the quoted
extracted_field = "File Name:ie6.0sp1-kb958869-windows2000-x; Job ID:1417021278808146; SHA256:73a0db29059f81adbbe1c620c132bec58b6fe7efd8c0ce973595ac6ea346a8e6; Rating:Clean; Scan Time: 90 (seconds); Malware Name:N/A; Source IP:172.23.98.229; Destination IP:8.254.230.174; Send Over:HTTP; Device:FG100D3G14800455(FG100D3G14800455:root); "
and then try to to a extract on the extraced field. But it seems you can not run extract on a field .. or can you ?
Need some insight on this one ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have kvdelim and pairdelim reversed. Try extract kvdelim=":", pairdelim=";".
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes tried this combo already .. backward and forwards ie extract kvdelim=":", pairdelim=";" and extract kvdelim=";", pairdelim=":" just to see if I was just crazy or something ..
Have used the kv / extract command before in the past for doing field extracting and I am guessing ( again ) that it the the quotes around the value set that is throwing the extract command off .. as the command or the indexer is thinking that ... oh this stuff in the quotes is a part of value pair so let just skip over anything that is inbetwen the quotes ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect you're right about the quotes throwing things off. They also keep me from reproducing the problem.
This should be easy for rex, however, if the fields are always in the same order.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct .. rex would be good for this but of course the issue is that the fields can change order from time to time so rex is no good .. nor is doing this in a transforms etc.
I have already reached out to the vendor and said to them and stated ..
" somehow you have broken splunks parser with your wacky log format " 😉
Lucky the vendor is in early stages of the product development so there is hope they will update at the log format .. it has many many issues other than the quotes around the values.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
