Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to extract data when my log has with comma separated fields and the field-value pairs are separated by a colon?

nunyabizness123
New Member
‎02-08-2017 01:03 PM

How would I go about parsing out/extracting the field data for the following log format?

"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:54.166","ip_address":"3.3.3.3","user_id":"USER1"
"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:52.395","fieldname2":"fieldvalue2","user_id":"USER2"
"fieldname1":"fieldvalue1","timestamp":"2017-02-07 14:19:50.316","ip_address":"8.8.8.8","fieldname2":"fieldvalue2"

Not all lines of logs will contain all the same fields, but field names are constant. The fields are always comma separated and then in "field":"value" pairs. Currently, I have separate field extractions for each interesting field such as:

\"fieldname1\":\"(?P[a-zA-z]*)

Is this the right way to do this or is there an easier or more proper method?

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-11-2017 10:44 AM

@nunyabizness123 - Did the answer provided by karlbosanquet help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

karlbosanquet
Path Finder
‎02-08-2017 01:40 PM

Have you had a look at DELIMS in transforms.conf? Here is something that should work;

[comma_colon]
DELIMS = ",", ":"

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Seamless IT/OT Security: A Hands-On Look at the Cisco Cyber Vision Splunk Add-on

With just a few clicks, you can ingest critical OT asset details, vulnerabilities, baseline deviations, ...