Re: I've a log in which instead of X=Y, it is pres...

sagar1905 · ‎11-20-2017

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

shaskell_splunk · ‎11-20-2017

Have a look at the extract command:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Extract

| makeresults | eval _raw="X:Y, key1:value1, key2:value2" | extract pairdelim="," kvdelim=":"

somesoni2 · ‎11-20-2017

Assuming your key value pairs are colon separated, instead of equal sign = separated, to do this automatically, setup this in your search heads,

props.conf

[yourSourceTYpe]
REPORT-extractFields = colon_separated_fields

transforms.conf

[colon_separated_fields]
REGEX = \"([^\"]+)\"\s*\:\s*\"([^\"]+)\"
FORMAT = $1::$2

A search head restart would be required (depends upon which method you use to deploy this to SH).

sagar1905 · ‎11-20-2017

Hi,

I actually dont have access to the splunk servers, I'm using the splunk enterprise app in my company. A part of a log is how I defined in my question, how can i extract them?

Thanks

somesoni2 · ‎11-20-2017

So you want to extract them at search time? If yes, then try like this

your current search 
| extract pairdelim=", " , kvdelim=":"

More accurate answer can be suggested if you can paste an actual sample log entry (mask any sensitive info).

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk