Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple key value pairs during search

sc0tt
Builder
‎11-07-2013 03:47 AM

In order to reduce the amount of data being indexed, I am using a sed script to strip away all XML tags and to format the data as key=value. Sometimes there are multiple key-value pairs like in the below sample event.

2013-11-07 03:20:24,637 Outgoing UserId="555555555555" Type="Main" To="user@example.com"  Key="1" Text="Value 1" Key="2" Text="Value 2" Key="3" Text="Value 3" SessionId="1000"

I want the search to include all occurrences of multiple key-value pairs (i.e. search..| stats count by Key). Currently, I will only get Key=1 in my results. I have added MV_ADD to transforms.conf but it is not working. Below is my current configuration.

props.conf
[source::/path/to/test.txt]
SHOULD_LINEMERGE = False
SEDCMD-trim = s/<([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>/ \1="\2"/g
REPORT-mvfield = mv-field 

transforms.conf
[mv-field]
MV_ADD = true

What am I missing?

Update:

Based on this post I was able to determine that I needed to add a transforms for each field. 

[mv-field-key]
REGEX = Key=\"(.+?)\"
FORMAT = Key::$1
MV_ADD = true

[mv-field-text]
REGEX = \bText\b=\"(.+?)\"
FORMAT = Text::$1
MV_ADD = true

Is it possible to have a single stanza so that I don't have to specify each field that I want to apply MV_ADD?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:44 AM

Yes, you can do this instead of individual extractions: 

[mv-field]
REGEX  = (?<_KEY_1>\w+)=\"(?<_VAL_1>.*?)\"
MV_ADD = true

_KEY_1 and _VAL_1 have special meanings in transforms.conf

Edit: Change regexes in the named capture groups to fit your needs.

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-07-2013 06:44 AM

Yes, you can do this instead of individual extractions: 

[mv-field]
REGEX  = (?<_KEY_1>\w+)=\"(?<_VAL_1>.*?)\"
MV_ADD = true

_KEY_1 and _VAL_1 have special meanings in transforms.conf

Edit: Change regexes in the named capture groups to fit your needs.

Reply
Solved! Jump to solution

sc0tt
Builder
‎11-07-2013 08:16 AM

Perfect, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...