I have a a huge message field with the format: field1=value1,field2=value2......fieldn=valuen. This field is not getting extracted by Splunk automatically.
Is there a solution on how to get this field extracted into multiple fields with these values? I tried to edit sourcetype for my message field with this regex (\w+)=([^,]+)* but it didnt work.
I want to write a regex that captures value1 and names it as field1 and so on for all fields. I want the field names to be dynamically used as I do not know the names of all fields.
I do not want to use rex (as I saw in some other solutions) as this is a permanent requirement and not limited to the search query.
I also looked if I can do some things from transforms.conf. So far no luck. 😞
I am using a Splunk Kafka plugin to ingest logs from Kafka to Splunk. I am also using REGEX filter on logs to get only purchase events.
Props.conf
[kafka:topicEvent]
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
CHARSET = AUTO
MAX_TIMESTAMP_LOOKAHEAD = 24
disabled = false
TIME_FORMAT = %FT%T.%3N%Z
TIME_PREFIX = "@timestamp":"
INDEXED_EXTRACTIONS = json
TRANSFORMS-changesourcetype = changesourcetype_to_ kafka
TRANSFORMS-override_kafka_host = override_kafka_host
TRANSFORMS-set = setnull,purchase,extraction
TRUNCATE = 15000
Transforms.conf
[changesourcetype_to_kafka]
REGEX = "@timestamp":"
FORMAT = sourcetype::kafka
DEST_KEY = MetaData:Sourcetype
[override_kafka_host]
REGEX = "host":"([^"]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[purchase]
REGEX = api=\"(ActionMenu|Buy|Create)\".*LIVE
DEST_KEY = queue
FORMAT = indexQueue
[extraction]
SOURCE_KEY = message
REGEX = (\w+)=([^,]+),
FORMAT = $1::$2
... View more