Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple key value pair extractions

huaraz
Explorer
‎09-09-2011 07:55 AM

I have a logfile with the following format:

LOG: : ; : ; .....

If I had only one key value pair I think could do

[mylog]


REGEX = LOG: (\S+): (.*);


Format = $1::$2

or two pairs

[mylog]


REGEX = LOG: (\S+): (.); (\S+): (.);


Format = $1::$2 $3::$4

but what can I do if I have an unknown number of pairs ?

Thank you


Markus

Tags (2)
0 Karma
Reply

willthames2
Path Finder
‎02-12-2012 05:04 PM

Have you looked at DELIMS rather than REGEX?

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextrac...

Not sure how that would cope with the LOG at the start of the line, but I imagine you could always strip it off before DELIMS.

0 Karma
Reply

borisalves
Path Finder
‎02-10-2012 05:03 PM

I just had to deal with a similar issue for Json data. I am running 4.2 and do not have the spath() available this is what I did:

Initial search :

BesRttSorterImpl

result=
[2012-02-10 14:31:12 PST] BesRttSorterImpl - DEBUG: RTT Site scores={"AAA":39.88540275,"BBB":65.32070525,"CCC":148.4583085}

First thing to pay attention is that json always returns a structure field, in this case scores is the main field. So first addintion to the search is ignore any results without scores

Search 1:BesRttSorterImpl scores

The overall goal now, is to have each value pair show as a field, in this case called multi-valued field, also used as “mv”. In order to do that, we execute what splunk does best, remove what we do not want to see.

scores={"AAA":39.88540275,"BBB":65.32070525,"CCC":148.4583085}

We will use the function eval for that. What to know about eval, it executes functions and returns to another field,

So it works some what like this:

Search | eval result=function (X,Y)

For start we will replace {“ with blank to a field called results

| eval result=replace(scores,"{\"","")

Note the use of \ to mean the value of “ instead of using quote as a delimiter

Then we will remove the other }

| eval result2=replace(result,"}","")

We will now remove all “ from the results

| eval result3=replace(result2,"\"","")

Now we replace the Json delimiter with “=”

| eval result4=replace(result3,":","=")

Final step is t make subfields using split

| eval result5=split(result4,",")

Now we have all the values in result5, to be present then we use table.

Table result5

Putting all together:

BesRttSorterImpl scores | eval result=replace(scores,"{\"","") | eval result2=replace(result,"}","") | eval result3=replace(result2,"\"","") | eval result4=replace(result3,":","=") | eval result5=split(result4,",") | table result5

will show:
AAA=value
BBB=Value
CCC=Value

If the elements are not in the order you want, then Further manipulation is required to have all element match Using If() and Match() can do that.

Not elegant, but worked for me.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...