Solved: Extract Multiple Fields with Regex

ryoji_solsys · ‎12-04-2014

I would like to extract fields in the response field dynamically by using "<_KEY_1" "<_VAL_1>" in transforms.conf

response = "customer:{tel:123456} startpoint:{http://www.splunk.com} interfaceNumber:{1234} name:{abc}"

Ideally I want to generate fields as

response-customer-tel = 123456
response-startpoint = http://www.splunk.com
response-interfacenumber = 1234 
response-name = abc

I have the following regex.

response=.+ (?<_KEY_1>\w+)\:\{(?<_VAL_1>.+)\}

I only get the last field "name" = "abc" extracted.

What is the best way to extract multi-fields dynamically by using KEY and VAL. (I don't know how many entries the response field has since each event can have a different number of entries in the response field).
I would also like to extract fields in a way that append "response" to each field so that it says response-name, response-interfacenumber and so on...
I learned that I can use "FIELDALIAS" to modify the field names from the previous question but is there anyway I can append "request" to the extracted fields automatically ?

Thanks.

musskopf · ‎12-04-2014

Try to use this Regex:

(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}

I haven't tested in Splunk but tested in https://regex101.com/ and seems fine

Cheers

View solution in original post

musskopf · ‎12-04-2014

Try to use this Regex:

(?P<_KEY_1>\w+):\{(?P<_VAL_1>[^\s]+)\}

I haven't tested in Splunk but tested in https://regex101.com/ and seems fine

Cheers

ryoji_solsys · ‎12-04-2014

Thanks for the prompt answer.
This helped me to extract multiple fields. But can I also somehow append "req" to each field automatically ?

Extract Multiple Fields with Regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!