Solved: Re: Regex for multiple Key value pair, after strin...

nmsaraujo · ‎10-20-2021

Hello all,

I am looking to extract automatically, all key value pairs, from the following event.

Oct 20 12:52:40 11.22.33.44 status: Info: Status: CPULd 0 DskIO 0 RAMUtil 4 QKUsd 0 QKFre 8388608 CrtMID 184222 CrtICID 2257015 CrtDCID 83915 InjMsg 126359 InjRcp 133519 GenBncRcp 2695 RejRcp 39342 DrpMsg 6 SftBncEvnt 9183 CmpRcp 139771 HrdBncRcp 3372 DnsHrdBnc 560 5XXHrdBnc 2406 FltrHrdBnc 0 ExpHrdBnc 406 OtrHrdBnc 0 DlvRcp 136399 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 5081719 NetReq 2029480 CchHit 5092135 CchMis 1888266 CchEct 891535 CchExp 1239213 CPUTTm 283360 CPUETm 123729299 MaxIO 7211 RAMUsd 182837940 MMLen 0 DstInMem 5 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 6 SophLd 0 BMLd 0 CASELd 0 TotalLd 53 LogAvail 175G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 1743004 SwOut 1980200 SwPgIn 8219419 SwPgOut 19669768 RptLd 0 QtnLd 0 EncrQ 0 InjBytes 21864651864

For that, I used the folowing regex:
(?<key>\S+)\s(?<value>\d+)

However, I can not get a 100% match, because I only want this to be valid for all the data after "Status:" (in bold, in the example).

Can anyone help me get a regex for this key value pair extraction?

Thanks in advance.

ITWhisperer · ‎10-20-2021

Alternatively, assuming none of your keys match short month names

| rex max_match=0 "(?<key>[A-Za-z]+)(?<!Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s(?<value>\d+)"

View solution in original post

ITWhisperer · ‎10-20-2021

Alternatively, assuming none of your keys match short month names

| rex max_match=0 "(?<key>[A-Za-z]+)(?<!Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s(?<value>\d+)"

nmsaraujo · ‎10-20-2021

Thanks @ITWhisperer for the quick reply.

This worked perfectly.

ITWhisperer · ‎10-20-2021

You can do it in two extractions

| makeresults 
| eval _raw="Oct 20 12:52:40 11.22.33.44 status: Info: Status: CPULd 0 DskIO 0 RAMUtil 4 QKUsd 0 QKFre 8388608 CrtMID 184222 CrtICID 2257015 CrtDCID 83915 InjMsg 126359 InjRcp 133519 GenBncRcp 2695 RejRcp 39342 DrpMsg 6 SftBncEvnt 9183 CmpRcp 139771 HrdBncRcp 3372 DnsHrdBnc 560 5XXHrdBnc 2406 FltrHrdBnc 0 ExpHrdBnc 406 OtrHrdBnc 0 DlvRcp 136399 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 5081719 NetReq 2029480 CchHit 5092135 CchMis 1888266 CchEct 891535 CchExp 1239213 CPUTTm 283360 CPUETm 123729299 MaxIO 7211 RAMUsd 182837940 MMLen 0 DstInMem 5 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 6 SophLd 0 BMLd 0 CASELd 0 TotalLd 53 LogAvail 175G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 1743004 SwOut 1980200 SwPgIn 8219419 SwPgOut 19669768 RptLd 0 QtnLd 0 EncrQ 0 InjBytes 21864651864"




| rex "Status:\s(?<Status>.+)"
| rex max_match=0 field=Status "(?<key>\S+)\s(?<value>\d+)"

Regex for multiple Key value pair, after string

field extraction

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?