Assuming Invetory is spelled (in)correctly, you could try this - the rex at the end is required because this date has an embedded space and it is the last field in the message If the fields were re...
See more...
Assuming Invetory is spelled (in)correctly, you could try this - the rex at the end is required because this date has an embedded space and it is the last field in the message If the fields were re-ordered or an extra field was in the message (without an embedded space), then the rex would not be required The problem is less embedded space, more lack of embedded quotation marks/proper field separator. It is semantically more pleasing to fix structure with rex than using rex to extract one data snippet when most are extracted with extract command. (But if you have any influence on developers, beg them to add quotation marks - more on this later.) | rex field=message mode=sed "s/Date=/&\"/ s/$/\"/"
| rename message as _raw
| extract It would give you the same result like CPWRemaining CPWTotal EASRemaining EAStatal InvetoryDate SEQRemaining SEQTotal VRSRemaining VRSTotal id severity 5612 749860 15 1062804 4/16/2024 7:34:25 PM 32746 1026137 0 238 0 Information About feedback to developers. @ITWhisperer gave one option by taking advantage of a side effect/gem feature) from Splunk's extract command by adding a comma at the end of every key-value pair. They do not have to swap order, but also by simply adding a literal comma after each value, like this: {"id":"0","severity":"Information","message":"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804, VRSTotal=238, CPWRemaining=5612, SEQRemaining=32746, EASRemaining=15, VRSRemaining=0, InvetoryDate=4/16/2024 7:34:25 PM,"} A more robust fix (that does not rely on Splunk's "generosity") is to properly quote the value. Any language can extract that without the programmer's attention. {"id":"0","severity":"Information","message":"CPWTotal=749860, SEQTotal=1026137, EASTotal=1062804, VRSTotal=238, CPWRemaining=5612, SEQRemaining=32746, EASRemaining=15, VRSRemaining=0, InvetoryDate=\"4/16/2024 7:34:25 PM\""} The logic should be simple enough: Numeric data, no quote, string data, quote.