It seems the extract/kv command uses _raw as input to do its parsing. Is there any way to pass a previously extracted field to it instead?
Given this sample event:
| stats count
| eval _raw="messageToParse=\"key1:val1,key2:val2,key3:val3\" user=\"user123\" application=\"app123\" host=\"host123\""
I'm looking for something similar to:
| extract kvdelim=":" pairdelim="," input=messageToParse
to produce a table of:
key1 | key2 | key3
val1 | val2 | val3
Note: The number of kvps in messageToParse is greater than 50, so parsing them individually via regex is not suitable.
Any ideas?
... View more