Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a regular expression to extract key value pairs from my sample event?

rajgowd1
Communicator
‎11-22-2016 08:47 AM

Hi,

We have events which contain key value pairs separated by a colon :.
Here is the sample event:

<6>2016-11-22T16:29:37Z v26l5klvoo3 doppler[21]: {"cf_app_id":"19351f6f-d125-4322-88ed-926e8f578e16","cf_app_name":"nam-rds-gpu-drag-payment-mq","cf_org_id":"d58e8896-6150-4f89-806b-c28464ba7e22","cf_org_name":"NAM-US-verizon","cf_origin":"firehorse","cf_space_id":"52223ed6-a3c5-4955-a6f8-be6c9649e215","cf_space_name":"RDS-DEV1","event_type":"LogMessage","level":"info","message_type":"OUT","msg":"[2016-11-22 16:29:37,017] DiscoveryClient-CacheRefreshExecutor-0 (DiscoveryClient.java:1064) DEBUG - Got delta update with apps hashcode UP_45_","origin":"rep","source_instance":"0","source_type":"APP","time":"2016-11-22T16:29:37Z","timestamp":1479832177017862007}

Key value pairs are with in curly brackets { }
Example: cf_space_name":"RDS-DEV1" this is one key value pair

Can you please help us to write a regular expression for the above sample event.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 08:58 AM

Try this

REGEX = "([^"]+)":"([^"]+)
FORMAT = $1:$2

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sshelly_splunk
Splunk Employee
Splunk Employee
‎11-22-2016 11:56 AM

Try this one:

REGEX= (?ism)"(\w+)":"([^"]+)|timestamp":(?P\d+)
FORMAT = $1:$2

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 08:58 AM

Try this

REGEX = "([^"]+)":"([^"]+)
FORMAT = $1:$2
0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎11-22-2016 10:13 AM

Apologies @sundareshr and @rajgowd1 I accidentally clicked the Accept button. I unaccepted it since this question is still unresolved.

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎11-22-2016 09:31 AM

Hi Sundaresh,
when i try index=myindex | rex "([^"]+)":"([^"]+)
getting error like Mismatched ']'. but the same expression is working in regex101

am i missing any here?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-22-2016 10:16 AM

If you're using it in rex, you'll need to escape the quote. Try this

... | rex "\"(?<key>[^\"]+)\":\"(?<value>[^\"]+)" max_match=0

With this, key and value will be mvfields, to access a specific value, you will have to use mvindex(key, n) etc. I would not recommed this approach.

The other thing you could try is the extract command

... | extract kvdelim=":" pairdelim=","

This may work better for your case

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Extract

Reply
Solved! Jump to solution

rajgowd1
Communicator
‎11-22-2016 10:26 AM

thank you.you are genius.regular expression and extract both are working as expected

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...