Re: Help extracting key value pairs within a group...

timgren · ‎03-26-2021

I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces, adding and additional layer of brain trauma.

In testing, /([^{=,]+)=([^,}]+)/g does the job in regex101, but not splunk.

Such as:

| makeresults

| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"

| rex field=msg.additionalValues "/([^{=,]+)=([^,}]+)/g"

Results in:

Error: "Error in 'rex' command: The regex '/([^{=,]+)=([^,}]+)/g' does not extract anything. It should specify at least one named group. Format: (?<name>...)."

Since i have multiple named groups, how is this possible?

ITWhisperer · ‎03-26-2021

| makeresults
| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"
| rex field=msg.additionalValues "(?<fields>[^{}]+)"
| rename fields as _raw
| extract pairdelim="," kvdelim="="

timgren · ‎03-26-2021

Excellent! Can this solution be applied to an auto-extraction or transformation method?

Help extracting key value pairs within a grouped/nested field.

field extraction

transforms.conf

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?