Re: Help extracting key value pairs within a group...

timgren · ‎03-26-2021

I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces, adding and additional layer of brain trauma.

In testing, /([^{=,]+)=([^,}]+)/g does the job in regex101, but not splunk.

Such as:

| makeresults

| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"

| rex field=msg.additionalValues "/([^{=,]+)=([^,}]+)/g"

Results in:

Error: "Error in 'rex' command: The regex '/([^{=,]+)=([^,}]+)/g' does not extract anything. It should specify at least one named group. Format: (?<name>...)."

Since i have multiple named groups, how is this possible?

ITWhisperer · ‎03-26-2021

| makeresults
| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"
| rex field=msg.additionalValues "(?<fields>[^{}]+)"
| rename fields as _raw
| extract pairdelim="," kvdelim="="

timgren · ‎03-26-2021

Excellent! Can this solution be applied to an auto-extraction or transformation method?

Help extracting key value pairs within a grouped/nested field.

field extraction

transforms.conf

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation