Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex / Transforms issue.

darrenfuller
Contributor
‎12-19-2019 12:10 PM

Hi Regexian Splunkers,

I have an event that looks like so: 

2020-02-20 20:22:02.202020 test:>"value" test1:>"value1" test2:>"this is a \"test\"" test3:>"this is \"a test\" ok" test4:>"this is \"another\" test ok?"

I want the fields extracted to look as so: 

test    value
test1   value1
test2   this is a \"test\"
test3   this is \"a test\" ok"
test4   this is \"another\" test..ok?

In words.... i want a fieldname, which can have letters numbers and underscores.... followed by :> ... followed by double quotes, the field value (which can have escaped quotes in it) which will be followed by double quotes.

My configs look like:

props.conf: 

[mydumbsourcetype]
TRANSFORMS-01-Pull_Colon_Angle_Events = Pull_Colon_Angle_Events

transforms.conf: 

[Pull_Colon_Angle_Events]
disabled = false
SOURCE_KEY = _raw
REGEX = ([\w\_]+)\=\"((?:[^"\\]|\\.)*)\"
FORMAT = $1::$2

My regex works on Regex101.com ( https://regex101.com/r/LUb4km/1 ).. but on Splunk i am getting no fields. Any help would be lovely.

./D

0 Karma
Reply

niketn
Legend
‎12-22-2019 09:53 AM

@darrenfuller you would need additional escaping in Splunk for " and \ while defining the regular expression. Following is a test you can run in Splunk SPL to validate the REGEX:

| makeresults
| eval _raw=" 2020-02-20 20:22:02.202020 test:>\"value\" test1:>\"value1\" test2:>\"this is a \\\"test\\\"\" test3:>\"this is \\\"a test\\\" ok\" test4:>\"this is \\\"another\\\" test ok?\""
| rex "(?<field>[\w\_]+)\:\>\"(?<value>(?:[^\"\\\]|\\\.)*)\"" max_match=0

If the above works as per your expectation, you would need to use following REGEX in transforms.conf

([\w\_]+)\:\>\"((?:[^\"\\\]|\\\.)*)\"

PS: If you pass the regex101 regular expression to Splunk SPL I have provided above, you can notice that it is unable to parse the regular expression as quote and backslash need additional escaping in Splunk.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...