Get event into kvpairs

brent_weaver · ‎06-26-2017

I have this event:

2017-06-26|20:37:56.551 [Thread-26] INFO  [InsertCache.java:56] - InsertCache Stats: getTagCacheHits() = 191891 getTagCacheMisses() = 14 getBucketCacheHits() = 191879 getBucketCacheMisses() = 26 getIntervalCacheHits() = 186294 getIntervalCacheMisses() = 5611 getVersionCacheHits() = 186294 getVersionCacheMisses() = 5611 getTotalCacheHits() = 756358 getTotalCacheMisses() = 11262 getTotalEvictionCount() = 10095

How would I get the KEY() = VALUE into nvpairs in splunk after*InsertCache Stats*:

somesoni2 · ‎06-26-2017

Using inline in the search, you can do like this

your base search 
| rex mode=sed "s/(\w+)\(\)\s*\=\s*(\S+)/\1=\2/g" 
| extract

Get event into kvpairs

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor