I've a log like below and I want to extract the fields "country", "currency"
"{"id":1, "message":"country=US¤cy=USD"}.
I wrote SPL
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value
After extracting the fields, I can search based on only one field.
This works .
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country=US
This does not work
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country="US" AND currency="USD".
It yields 0 results
Any pointers please?
