Hi. I have JSON-like events that come into my indexer like this:
{foo.field1: value,
foo.field2: value,
foo.field3: value}
I would like to extract field1, field2, and field3 as individual fields. The trouble is that their order is not fixed within the event. I can't use Splunk's default json extraction on this data for long and boring reasons, so I'm trying to handle it manually in props. What I'd like to do is something like the following, to extract to a dynamic field name based on the regex:
EXTRACT-foo = \{foo\.(\w+):\s*(?<\1>[^,\}]*),foo\.(\w+):\s*(?<\2>[^,\}]*),foo\.(\w+):\s*(?<\3>[^,\}]*)\}
Unfortunately this doesn't work, and aside from not knowing what Splunk considers to be capture groups in the extraction, I'm not even sure if this syntax is legal. Is there a way to solve this without sorting the JSON beforehand?
UPDATE: For anyone who doesn't feel like reading the comment chain, the $1::$2 format in the accepted answer doesn't just stop at the first match--it goes through the entire event and does pairwise extractions for everything it matches. Since all my field-value pairs have the same format, I don't have to make a regex to match the whole event--I just need to match one pair, and the extraction automatically finds all the pairs that match. I had tried to do a full-event match with the format $1::$2 $3::$4 $5::$6, which is supposed to work, but it didn't, and Splunk support never figured out why. Anyway, the $1::$2 format is simpler and is automatically extensible if I add fields to these events in future.
... View more