Splunk Search

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

sagar1905
New Member

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

Tags (1)
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Have a look at the extract command:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Extract

| makeresults | eval _raw="X:Y, key1:value1, key2:value2" | extract pairdelim="," kvdelim=":"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming your key value pairs are colon separated, instead of equal sign = separated, to do this automatically, setup this in your search heads,

props.conf

[yourSourceTYpe]
REPORT-extractFields = colon_separated_fields

transforms.conf

[colon_separated_fields]
REGEX = \"([^\"]+)\"\s*\:\s*\"([^\"]+)\"
FORMAT = $1::$2

A search head restart would be required (depends upon which method you use to deploy this to SH).

sagar1905
New Member

Hi,

I actually dont have access to the splunk servers, I'm using the splunk enterprise app in my company. A part of a log is how I defined in my question, how can i extract them?

Thanks

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So you want to extract them at search time? If yes, then try like this

your current search 
| extract pairdelim=", " , kvdelim=":"

More accurate answer can be suggested if you can paste an actual sample log entry (mask any sensitive info).

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...