Convert multi-value expression to field names and ...

rharrisssi · ‎01-04-2018

I have a string,

"one:isone,two:istwo,three:isthree"

The goal is to convert these to fields and values, without knowing what will be in the string. Basically the following, but automagic.

| eval one="isone"
| eval two="istwo"
...

micahkemp · ‎01-04-2018

Splunk enables this type of behavior with the _KEY_1 and _VAL_1 syntax:

in transforms.conf:

[colon_comma_separated]
REGEX = (?<_KEY_1>[^:]+):(?<_VAL_1>[^,]+)

in props.conf:

[<sourcetype>]
REPORT-colon_comma_separated

From the transforms.conf doc:

  * If the REGEX extracts both the field name and its corresponding field
    value, you can use the following special capturing groups if you want to
    skip specifying the mapping in FORMAT:
      _KEY_<string>, _VAL_<string>.
  * For example, the following are equivalent:
    * Using FORMAT:
      * REGEX  = ([a-z]+)=([a-z]+)
      * FORMAT = $1::$2
    * Without using FORMAT
      * REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
    * When using either of the above formats, in a search-time extraction,
      the regex will continue to match against the source text, extracting
      as many fields as can be identified in the source text.

Convert multi-value expression to field names and values

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk