Solved: Re: Multiple key value pair extraction

timbCFCA · ‎05-11-2011

I have multiple key value pairs in a line like so:
summary=" Policy Rule modified" summary=" Policy Rule number 2 modified" details="Details line 1" details="Details line 2" ... details="Details line X".

Nothing I'm doing provides an easy way to either concatenate or preferably create keys with increasing numerical sequence, eg summary=, summary2=, etc. I've tried the MV_ADD and REPEAT_MATCH transform options without result. What do I need? It feels like something basic I'm missing but I can't put my finger on it.

[mytype]
REGEX = details=(\S+)
FORMAT = details::$1
REPEAT_MATCH = true

REGEX = summary=(\S+)
FORMAT = summary::$1
MV_ADD = true

hazekamp · ‎05-11-2011

timbCFCA,

The MV_ADD transforms settings is what you want here. REPEAT_MATCH is only valid @ index time. Given the following sample the following configs will be valid:

summary=" Policy Rule modified" summary=" Policy Rule number 2 modified" details="Details line 1" details="Details line 2" ... details="Details line X"

## props.conf
[<your_sourcetype>]
REPORT-details_for_your_sourcetype = details_for_your_sourcetype
REPORT-summary_for_your_sourcetype = summary_for_your_sourcetype

## transforms.conf
[details_for_your_sourcetype]
# Assuming quoted strings
REGEX = details=\"([^"]+)
FORMAT = details::$1
MV_ADD = True

[summary_for_your_sourcetype]
# Assuming quoted strings
REGEX = summary=\"([^"]+)
FORMAT = summary::$1
MV_ADD = True

View solution in original post

supersleepwalke · ‎05-30-2012

I am experiencing this same issue. I would have thought that using "| extract mv_add=true" would fix it in the search interface, but that appears to have no effect. Has anybody experienced that?

I'm able to easily solve this using "| rex ... max_match=50", but that seems like it ought to be unnecessary.

hazekamp · ‎05-11-2011

timbCFCA,

The MV_ADD transforms settings is what you want here. REPEAT_MATCH is only valid @ index time. Given the following sample the following configs will be valid:

summary=" Policy Rule modified" summary=" Policy Rule number 2 modified" details="Details line 1" details="Details line 2" ... details="Details line X"

## props.conf
[<your_sourcetype>]
REPORT-details_for_your_sourcetype = details_for_your_sourcetype
REPORT-summary_for_your_sourcetype = summary_for_your_sourcetype

## transforms.conf
[details_for_your_sourcetype]
# Assuming quoted strings
REGEX = details=\"([^"]+)
FORMAT = details::$1
MV_ADD = True

[summary_for_your_sourcetype]
# Assuming quoted strings
REGEX = summary=\"([^"]+)
FORMAT = summary::$1
MV_ADD = True

timbCFCA · ‎05-11-2011

hazedav, many thanks. I realized that I needed to define two separate entries in props.conf just as I received your response. I went a touch different route for the regex. I'll post just in case anyone comes across this.

[forechange_details]
REGEX = details=\"(.+?)\"
FORMAT = details::$1
MV_ADD = true

[forechange_summary]
REGEX = summary=\"(.+?)\"
FORMAT = summary::$1
MV_ADD = true

Multiple key value pair extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation