- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to extract the key value pairs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is an example of my event:
Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params="{coinsEarned : 1800,coinsSpent : 1100,experienceEarned : 2460,timeSpent : 4417,diamondsEarned : 3,diamondsSpent : 18,noOfSessions : 4,energySpent : 7,gamesCompleted : 5}"
In the above event, in the field "Params", I need to extract the keys as the fields and their values as values for the new fields. So a new field "coinsEarned" should be extracted and its value should be "1800" for this event. Similarly for all the key-value pairs in the field Params.
Can someone help me with the regular expression to get the desired results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just add this to your search:
| extract pairdelim="\"{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what worked for me:
| makemv tokenizer="([^,]+)," Params | mvexpand line
| rex field=Params "(?<key>[^{:]+) : (?<value>[0-9]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just add this to your search:
| extract pairdelim="\"{,}" kvdelim=":"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used the following to help with this at search time with key-value pairs that had space delimiters and = key delimiters:
| extract pairdelim=" " kvdelim="="This also works when your KV pairs optionally have quotation marks for data that contains whitespace.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract something like all the key-value pairs in the field Params ?
Timestamp="05/18/14 11:25:16 AM PDT" SessionIndex="2" Action="STATSDAILY" Version="2.1.10" Platform="Android" Device="HTC One" Params={"coinsEarned":"1800","coinsSpent":"no coins spent","experienceEarned":"2460","timeSpent":"4417","}
I've tried this but no luck
...| extract pairdelim="\"{,}" kvdelim=":"
Thank in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar situation and this answer doesn't work for me. How does the extract command know to work on the Params field? It's not mentioned anywhere
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! You saved my day 🙂
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
