I have a string,
"one:isone,two:istwo,three:isthree"
The goal is to convert these to fields and values, without knowing what will be in the string. Basically the following, but automagic.
| eval one="isone"
| eval two="istwo"
...
Splunk enables this type of behavior with the _KEY_1
and _VAL_1
syntax:
in transforms.conf:
[colon_comma_separated]
REGEX = (?<_KEY_1>[^:]+):(?<_VAL_1>[^,]+)
in props.conf:
[<sourcetype>]
REPORT-colon_comma_separated
From the transforms.conf doc:
* If the REGEX extracts both the field name and its corresponding field
value, you can use the following special capturing groups if you want to
skip specifying the mapping in FORMAT:
_KEY_<string>, _VAL_<string>.
* For example, the following are equivalent:
* Using FORMAT:
* REGEX = ([a-z]+)=([a-z]+)
* FORMAT = $1::$2
* Without using FORMAT
* REGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
* When using either of the above formats, in a search-time extraction,
the regex will continue to match against the source text, extracting
as many fields as can be identified in the source text.