Solved: Split complex event to key value table

ormoush · ‎10-05-2020

Hi,

I'm trying to split this event into a

name	value
FieldA	false
FieldB	5

key-value table

org.Data@28c839cfname=FieldA, value=false, org.Data@49b45b79name=FealedB, value=5,

Query:

1. base_query | extract pairdelim=" ", kvdelim=" " | table _raw
2. base_query | extract pairdelim="org.data*=", kvdelim=" " | table _raw

is it possible?

Thanks

ITWhisperer · ‎10-05-2020

| rex max_match=0 "org.Data[^=]+=(?<name>[^,]+),\svalue=(?<value>[^,]+)"
| eval fieldvalue=mvzip(name, value)
| fields fieldvalue
| mvexpand fieldvalue
| rex field=fieldvalue "(?<name>[^,]+),(?<value>.+)"
| table name, value

View solution in original post

ITWhisperer · ‎10-05-2020

| rex max_match=0 "org.Data[^=]+=(?<name>[^,]+),\svalue=(?<value>[^,]+)"
| eval fieldvalue=mvzip(name, value)
| fields fieldvalue
| mvexpand fieldvalue
| rex field=fieldvalue "(?<name>[^,]+),(?<value>.+)"
| table name, value

Split complex event to key value table

chart

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation