Solved: Basic Key Value extraction

erichard · ‎04-22-2018

Hello,

I receive message like this :

 topic="Sniffer" message=""timestamp"="1524387631351","process"="com.x.android.apps","packageName"="com.google.android.gms","type"="URL","URL"="https://x.x.com/UploadConfigurationService/UnitUploadSettings/x071x?clientId=xx-mobile""
topic="Sniffer" message=""timestamp"="1524387779884","process"="com.google.android.gms","packageName"="com.google.android.gms","type"="URL","URL"="https://android.clients.google.com/c2dm/register3""

and I need to extract all key/value from "message=" without knowing the fields, I have only the syntaxe KV so here I would like to have :

process : com.x.android.apps
packageName : com.google.android.gms
...

I try without sucess :

index=devices Sniffer  |  rex field=_raw ".*message=\"(?<message>.*)\"" |   extract pairdelim="," kvdelim="=" |table  *

Any idea ?

Thanks for your help 😉

niketn · ‎04-22-2018

@erichard, try the following run anywhere search based on sample data provided. (Commands from | makeresults to | rename data as _raw generate dummy data. Assuming you have two events starting from topic field)

| makeresults
| eval data="topic=\"Sniffer\" message=\"\"timestamp\"=\"1524387631351\",\"process\"=\"com.x.android.apps\",\"packageName\"=\"com.google.android.gms\",\"type\"=\"URL\",\"URL\"=\"https://x.x.com/UploadConfigurationService/UnitUploadSettings/x071x?clientId=xx-mobile\"\"; topic=\"Sniffer\" message=\"\"timestamp\"=\"1524387779884\",\"process\"=\"com.google.android.gms\",\"packageName\"=\"com.google.android.gms\",\"type\"=\"URL\",\"URL\"=\"https://android.clients.google.com/c2dm/register3\"\""
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex ".*message=\"(?<message>.*)\"" 
| rename message as _raw
| extract pairdelim="," kvdelim="="
| table *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎04-22-2018

@erichard, try the following run anywhere search based on sample data provided. (Commands from | makeresults to | rename data as _raw generate dummy data. Assuming you have two events starting from topic field)

| makeresults
| eval data="topic=\"Sniffer\" message=\"\"timestamp\"=\"1524387631351\",\"process\"=\"com.x.android.apps\",\"packageName\"=\"com.google.android.gms\",\"type\"=\"URL\",\"URL\"=\"https://x.x.com/UploadConfigurationService/UnitUploadSettings/x071x?clientId=xx-mobile\"\"; topic=\"Sniffer\" message=\"\"timestamp\"=\"1524387779884\",\"process\"=\"com.google.android.gms\",\"packageName\"=\"com.google.android.gms\",\"type\"=\"URL\",\"URL\"=\"https://android.clients.google.com/c2dm/register3\"\""
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex ".*message=\"(?<message>.*)\"" 
| rename message as _raw
| extract pairdelim="," kvdelim="="
| table *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

erichard · ‎04-22-2018

@niketnilay Many thanks !!!

Basic Key Value extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!