×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jgreen1
Engager
Member since: ‎01-20-2011
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 3
Member Since ‎01-20-2011
Activity Feed
View All

Re: transforms.conf - Parsing KVP pairs using DELI...

by Splunk Employee in Splunk Enterprise
‎02-04-2011 01:50 AM
2 Karma
‎02-04-2011 01:50 AM
2 Karma
If you want to do this as a search-time KV extraction, it would be very simple to use the following RegEx to separate your KV pairs: PROPS.CONF: [mysourcetype] REPORT-mysourcetype = xf-kv TRANSFORMS.CONF: [xf-kv] REGEX = (?<_KEY_1>[^ ]+):(\[\d+\])?\s"(?<_VAL_1>[^ ]+)" This will yield the following fields, based on your sample data, above: LENGTH = 353 SESSIONID = 5544703 ENTRYID = 1 This removes the [count], the quotes, and enumerates the fields in a very simple way. HTH Ron ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All