Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex help: Colon space and comma as key-value pair

koshyk
Super Champion
‎02-28-2018 12:58 AM

I'm trying to figure out better way of doing regex for a data like below

Protocol: TCP, SrcIP: 1.2.3.4, OriginalClientIP: ::, DstIP: 5.6.7.8, SrcPort: 1234, DstPort: 678, TCPFlags: 0x0, DE: some engine (6xxxxxe-a010-11e7-b61b-xxxxxxx), Policy: my-home-policy, ConnectType: End, AccessControlRuleName: AB-CD-EFG, AccessControlRuleAction: Allow, Prefilter Policy: AB-CD-EFG, UserName: User A, InitiatorPackets: 4, ResponderPackets: 2, InitiatorBytes: 288, ResponderBytes: 148, NAPPolicy: AB-CD-EFG-Analysis-Policy, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Highly Risky

I was looking to split this into key-value pairs, so it becomes

Protocol=TCP
OriginalClientIP="" 
UserName="User A"

So the key-value split is :\s and .* until it finds a comma. 

(?<key>\w+):\s+(?<value>.*?)(\,|$)

Above regex works in regex101, but not in transforms.conf . Or put in more precisely, the value is not getting assigned to the key

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-28-2018 01:11 AM

What exactly does your transforms.conf look like?

Should be something like:

[<stanzaname here>]
REGEX = (\w+):\s+([^,]*)(?:,|$)
FORMAT = $1::$2

And why not simply use:

DELIMS = ",", ":"

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-28-2018 01:11 AM

What exactly does your transforms.conf look like?

Should be something like:

[<stanzaname here>]
REGEX = (\w+):\s+([^,]*)(?:,|$)
FORMAT = $1::$2

And why not simply use:

DELIMS = ",", ":"
Reply
Solved! Jump to solution

koshyk
Super Champion
‎03-02-2018 02:22 AM

DELIMS did the trick. thanks for the idea

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎02-28-2018 01:28 AM

thanks for your DELIMS suggestion. I will try that out

(The transforms looks like what you mentiond. I have seen in other posts that we might need to put double quotes over FORMAT. so something like FORMAT = "$1": $2 . I will try both of them anyway.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-28-2018 01:38 AM

Looking at the transforms.conf documentation, it should be just FORMAT=$1::$2.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...