Splunk Search

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

sagar1905
New Member

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

Tags (1)
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Have a look at the extract command:

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Extract

| makeresults | eval _raw="X:Y, key1:value1, key2:value2" | extract pairdelim="," kvdelim=":"
0 Karma

somesoni2
Revered Legend

Assuming your key value pairs are colon separated, instead of equal sign = separated, to do this automatically, setup this in your search heads,

props.conf

[yourSourceTYpe]
REPORT-extractFields = colon_separated_fields

transforms.conf

[colon_separated_fields]
REGEX = \"([^\"]+)\"\s*\:\s*\"([^\"]+)\"
FORMAT = $1::$2

A search head restart would be required (depends upon which method you use to deploy this to SH).

sagar1905
New Member

Hi,

I actually dont have access to the splunk servers, I'm using the splunk enterprise app in my company. A part of a log is how I defined in my question, how can i extract them?

Thanks

0 Karma

somesoni2
Revered Legend

So you want to extract them at search time? If yes, then try like this

your current search 
| extract pairdelim=", " , kvdelim=":"

More accurate answer can be suggested if you can paste an actual sample log entry (mask any sensitive info).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...