I'm new to splunk, so please excuse the basic question. I have some data in the following format:
Note the different separators. I can quite easily extract one of these using the following command:
... | rex field=_raw "Field1=(?<Field1>.*)Field2=(?<Field2>.*)"Field3=(?<Field3>.*)
I thought I could expand on this, in order to extract both of them at the same time, so I tried this, but it does not seem to work:
... | rex field=_raw "Field1[;&](?<Field1>.*)Field2[;&](?<Field2>.*)"Field3[;&](?<Field3>.*)
Could someone please help with this? I imagine there probably is a better way to do this, but I am still trying different ways. Is there a way to just give my delimiters and have it extract everything in it's own field?
does not match any of your regular expressions, as
field3 is lower case in the above example. I will assume that you meant:
instead. Now your first regular expression will almost work, although it has a spurious
" in it. The second regular expression has lost the
= and put the field separator in the wrong places.
You could do this:
yoursearchhere | rex "Field1=(?<Field1>.*)[;&]Field2=(?<Field2>.*)[;&]Field3=(?<Field3>.*)"
Here is another answer that may be helpful:
Here is an example of using DELIMS in transforms.conf. It applies to an event where field/value pairs are separated by ';' symbols, and the field names are separated from their corresponding values by '=' symbols:
[pipe_eq] DELIMS = ";", "="
You can find out more about DELIMS here. Also look at the documentation for transforms.conf
Ok so I have been testing this further, and the following works better for me, as it seems to extract mroe fields. It is still not perfect for the most important fields though.
search term | extract pairdelim=";+&", kvdelim="=", auto=f
Using this, the following do not get caught still:
Note that Field72 is blank, which may be the reason for it not being extracted.
Extracting field1 works, but then a lot of the other fields (2 onwards) are all left in there also. What if I wanted to just extract that one field and just search the various delimiters at the end of it? Could I then later pick another field and extract that (whether that data is before or after the already extracted data)? Unfoortunately, as the data which follows is not always consistent, I cannot input that data into a new field by naming the field.
Sorry, the errors in that were due to me trying to remember the data off the top of my head. Turns out the code you posted and the code I used are the same, and that didn't quite work. Here is the actual format of the data: