Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex every first event in the pair

ryastrebov
Communicator
‎03-11-2016 08:07 AM

Hello splunkers!

I have event in this format:

id_param1,id_value1,id_param2,id_value2,...,id_paramX,id_valueX

for example:

2,45,3,14,31,8,4356,abcd,4421,3,9,foo

I need to transform this into key-value pair:

2   45
3   14
31  8
4356   abcd
4421   3
9   foo

How I can make it by rex in Splunk?

Best regards,
Roman

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎03-11-2016 08:29 AM

Try this:

| yoursearch
| rex field=_raw max_match=0 "(?<key>[^\,]++)\,(?<value>[^\,]++)\,?"
| eval keyvalues = mvzip(key,value)

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎03-11-2016 08:29 AM

Try this:

| yoursearch
| rex field=_raw max_match=0 "(?<key>[^\,]++)\,(?<value>[^\,]++)\,?"
| eval keyvalues = mvzip(key,value)
Reply
Solved! Jump to solution

ryastrebov
Communicator
‎03-11-2016 08:34 AM

Great!!!

Thank you very much, it's working!

Best regards,
Roman

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...