Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Field Extraction inside a bracket

jadengoho
Builder
‎03-26-2020 05:30 AM

Hi All,
Is there any faster way to extract fields with this format on props and transforms file? like Key value pair ?
There's a lot more field than that , that's why im finding an easier way to extract field value

2020/03/01-10:01:01 [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"]
2020/03/01-10:01:02 [firstname "Julie"] [age "58"] [state "AU"] [id "10002"]
2020/03/01-10:01:02 [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-26-2020 07:01 AM

Like this:

REGEX = \[(?<key>\S+)\s+"(?<value>[^"]+)
FORMAT = $1::$2

See here:
https://regex101.com/r/ZvxlMY/1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-26-2020 07:01 AM

Like this:

REGEX = \[(?<key>\S+)\s+"(?<value>[^"]+)
FORMAT = $1::$2

See here:
https://regex101.com/r/ZvxlMY/1

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎03-26-2020 07:42 PM

thanks @woodcock - this is very helpful.
Can i use this command for specific logs only ? i need this configuration for INFO only not DEBUG?
https://regex101.com/r/ZvxlMY/2

 2020/03/01-10:01:01 INFO [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"]
 2020/03/01-10:01:02 DEBUG [firstname "Julie"] [age "58"] [state "AU"] [id "10002"]
 2020/03/01-10:01:02 INFO [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"]
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-26-2020 09:26 PM

There is no sense in limiting the field extraction. Limit it in your search. Create your stanza based on sourcetype.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2020 06:35 AM

Faster than what? Easier than what? What are your current props.conf settings?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...