Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help extracting key value pairs within a grouped/nested field.

timgren
Path Finder
‎03-26-2021 03:13 PM

I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces, adding and additional layer of brain trauma. 

In testing,  /([^{=,]+)=([^,}]+)/g  does the job in regex101, but not splunk. 

Such as:

| makeresults

| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"

| rex field=msg.additionalValues "/([^{=,]+)=([^,}]+)/g" 

Results in: 

Error: "Error in 'rex' command: The regex '/([^{=,]+)=([^,}]+)/g' does not extract anything. It should specify at least one named group. Format: (?<name>...)." 

Since i have multiple named groups, how is this possible? 

 

Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-26-2021 04:29 PM 
| makeresults
| eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}"
| rex field=msg.additionalValues "(?<fields>[^{}]+)"
| rename fields as _raw
| extract pairdelim="," kvdelim="="
Reply

timgren
Path Finder
‎03-26-2021 06:03 PM

Excellent!  Can this solution be applied to an auto-extraction or transformation method? 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...