Splunk Search

Given two fields, how can i create a third field whose name is the first value and whose value is the second?

sideview
SplunkTrust
SplunkTrust

I have a dataset where the rows in my search results all have a 'value' field, and there's another field that specifies what exactly this is the value of.

So picture having

name="color" value="red"

how could I get these rows to have

color="red"

And of course this is given that i have no idea what any of the names are going to be up front so I have to set it dynamically.

Since there's a lot going on in the regex already I am a bit reluctant to try and do it in the transforms.conf stanza itself. However I'm at a loss for what such a regex would like like so any help there is appreciated too. 😃

I'm sure someone has run into this before and rather than hack my way through it I thought I'd ask what the best practice is.

Tags (2)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

There are two ways that this can be done.

  1. Use eval. Any string in curly braces "{}" in the destination key will be resolved using the value of that named field. For example: ... | eval {name}=value | ...
  2. Use chart. If all you care about is the the columns implied by the value of "name", you can use the series creation feature of chart. For example: ... | chart first(value) by <rowid> name.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

If you still want to do it in transforms.conf, you would do:

REGEX = name="(?<_KEY_1>[^"])" value="(?<_VAL_1>[^"])"

i.e., Splunk will take pairs of named extractions and make KV pairs out of them. The above would be equivalent to:

REGEX = name="([^"])" value="([^"])"
FORMAT = $1::$2

Presumably your data looks something like:

{ name="color" value="red" }, { name="width" value="300" }, { name="height" value="150" }

which is fine, as the field extraction will get repeated by default.

The Splunk default extractions for WMI and Windows Event Logs in etc/system/default/transforms.conf use this general technique.

sideview
SplunkTrust
SplunkTrust

Thanks Gerald. I'd forgotten about the FORMAT key and I've just been doing named extractions. I'll take another look and this may be the way to go. My events are considerably messier than that unfortunately but even so, the FORMAT may well clean things up.

Stephen_Sorkin
Splunk Employee
Splunk Employee

There are two ways that this can be done.

  1. Use eval. Any string in curly braces "{}" in the destination key will be resolved using the value of that named field. For example: ... | eval {name}=value | ...
  2. Use chart. If all you care about is the the columns implied by the value of "name", you can use the series creation feature of chart. For example: ... | chart first(value) by <rowid> name.

sideview
SplunkTrust
SplunkTrust

awesome. Both are good solutions. I tend to prefer the "chart first(value) over by name" syntax cause its less confusing (which i only mention because i just got confused by yr answer =). Sorkin's the best.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...