Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Key value pair extraction not working

viswanathsd
Path Finder
‎07-06-2015 08:05 PM

Sample Event:

2015-07-01 09:17:22,962|CACHE-NAME:upf-cccc-ttt-yyy2-zzz-cache|BACK-CACHE-ENTRIES:0|BACK-CACHE-SIZE-IN-BYTES:0|BACK-CACHE-SIZE-IN-MB:0|BACK-CACHE-AVG-SIZE:0|BACK-CACHE-NO-OF-GETS:0|BACK-CACHE-NO-OF-HITS:0

Tried below options...
Transforms.conf:

[sampleextract]
([A-Z|\-]+):([a-z|\-|\d]+)

OR

\|(?<_KEY_1>[A-Z|\-]+):(?<_VAL_1>[^|]+)

OR

\|(?<_KEY_1>[^:]+):(?<_VAL_1>[^|]+)

OR

\|([A-Z|\-]+):([a-z|\-|\d]+) 
_raw
$1::$2

Props.conf:

Name                                      Type             Extraction/Transform

sampleextract : REPORT-samplesource       Uses transform   sampleext
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2015 09:27 PM

Try this:

Transforms.conf:

[sampleextract]
REGEX = ([^|:\s]{3,}):([^|:\s]+)
FORMAT = $1::$2
MV_ADD = 1

Props.conf:

[mySourceType]
REPORT-sampleextract sampleextract
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...