Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to extract the key value pairs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is an example of my event:
Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params="{coinsEarned : 1800,coinsSpent : 1100,experienceEarned : 2460,timeSpent : 4417,diamondsEarned : 3,diamondsSpent : 18,noOfSessions : 4,energySpent : 7,gamesCompleted : 5}"
In the above event, in the field "Params", I need to extract the keys as the fields and their values as values for the new fields. So a new field "coinsEarned" should be extracted and its value should be "1800" for this event. Similarly for all the key-value pairs in the field Params.
Can someone help me with the regular expression to get the desired results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just add this to your search:
| extract pairdelim="\"{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what worked for me:
| makemv tokenizer="([^,]+)," Params | mvexpand line
| rex field=Params "(?<key>[^{:]+) : (?<value>[0-9]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just add this to your search:
| extract pairdelim="\"{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used the following to help with this at search time with key-value pairs that had space delimiters and = key delimiters:
| extract pairdelim=" " kvdelim="="This also works when your KV pairs optionally have quotation marks for data that contains whitespace.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair.
I used following simple extract parameters:
| extract pairdelim="," kvdelim=":"
One doesn't need to escape "," as done in the first answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract something like all the key-value pairs in the field Params ?
Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params={"coinsEarned":"1800","coinsSpent":"no coins spent","experienceEarned":"2460","timeSpent":"4417","}
I've tried this but no luck
...| extract pairdelim="\"{,}" kvdelim=":"
Thank in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar situation and this answer doesn't work for me. How does the extract command know to work on the Params field? It's not mentioned anywhere
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! You saved my day 🙂
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
