Splunk Search

Multiple Key Value Pair Extraction

FRoth
Contributor

I have a log format that contains KEY/VALUE pairs in this format:

Feb 10 12:02:38 192.168.56.101 Feb 10 12:02:37 PROMETHEUS/192.168.56.101 THOR: Info: MODULE: UserAccounts MESSAGE: User Account USER: trinity FULL_NAME: trinity PRIV: 1 LAST_LOGON: 03/02/2014 13:52:38 BADPWCOUNT: 0 LOGON_SERVER: \\* NUM_LOGONS: 8 PASS_AGE: 78.00  days

The thing is, that the values are terminated by the next key, so the extraction would be:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) [A-Z_]+:

The problem I face is that it only extracts the first, third, fifth, seventh ... key/value pair as it skips the following key as part of the first extraction.
Is there a way to handle this?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

According to RegExr, this should work:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)

It matches the next key without including it in the result.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

According to RegExr, this should work:

(?<_KEY_1>[A-Z_]+): (?<_VAL_1>.*?) (?=[A-Z_]+:)

It matches the next key without including it in the result.

---
If this reply helps you, Karma would be appreciated.

FRoth
Contributor

I changed it a bit so that it also includes the last key/value pair (?<KEY_1>[A-Z]+): (?<VAL_1>.*?)(?=(\s[A-Z]+:)|$)

0 Karma

FRoth
Contributor

Awesome. This works. Thanks

0 Karma

FRoth
Contributor

No. There are more than 40 different formats. I use to extract them separately by specific extraction rules and would like to extract all by a single rule. i.e. what I normally do is "DOMAIN: (?.*?) [A-Z_]+:".

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are the keys always the same and in the same order?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...