Solved: Re: Multiple Key Value Pair Extraction

FRoth · ‎04-29-2014

I have a log format that contains KEY/VALUE pairs in this format:

Feb 10 12:02:38 192.168.56.101 Feb 10 12:02:37 PROMETHEUS/192.168.56.101 THOR: Info: MODULE: UserAccounts MESSAGE: User Account USER: trinity FULL_NAME: trinity PRIV: 1 LAST_LOGON: 03/02/2014 13:52:38 BADPWCOUNT: 0 LOGON_SERVER: \\* NUM_LOGONS: 8 PASS_AGE: 78.00  days

The thing is, that the values are terminated by the next key, so the extraction would be:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) [A-Z_]+:

The problem I face is that it only extracts the first, third, fifth, seventh ... key/value pair as it skips the following key as part of the first extraction.
Is there a way to handle this?

richgalloway · ‎04-29-2014

According to RegExr, this should work:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)

It matches the next key without including it in the result.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-29-2014

According to RegExr, this should work:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)

It matches the next key without including it in the result.

---
If this reply helps you, Karma would be appreciated.

FRoth · ‎05-02-2014

I changed it a bit so that it also includes the last key/value pair (?<KEY_1>[A-Z]+): (?<VAL_1>.*?)(?=(\s[A-Z]+:)|$)

FRoth · ‎04-29-2014

Awesome. This works. Thanks

FRoth · ‎04-29-2014

No. There are more than 40 different formats. I use to extract them separately by specific extraction rules and would like to extract all by a single rule. i.e. what I normally do is "DOMAIN: (?.*?) [A-Z_]+:".

richgalloway · ‎04-29-2014

Are the keys always the same and in the same order?

---
If this reply helps you, Karma would be appreciated.

Multiple Key Value Pair Extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!