Solved: Splunk Field Extraction inside a bracket

jadengoho · ‎03-26-2020

Hi All,
Is there any faster way to extract fields with this format on props and transforms file? like Key value pair ?
There's a lot more field than that , that's why im finding an easier way to extract field value

2020/03/01-10:01:01 [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"]
2020/03/01-10:01:02 [firstname "Julie"] [age "58"] [state "AU"] [id "10002"]
2020/03/01-10:01:02 [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"]

woodcock · ‎03-26-2020

Like this:

REGEX = \[(?<key>\S+)\s+"(?<value>[^"]+)
FORMAT = $1::$2

See here:
https://regex101.com/r/ZvxlMY/1

View solution in original post

woodcock · ‎03-26-2020

Like this:

REGEX = \[(?<key>\S+)\s+"(?<value>[^"]+)
FORMAT = $1::$2

See here:
https://regex101.com/r/ZvxlMY/1

jadengoho · ‎03-26-2020

thanks @woodcock - this is very helpful.
Can i use this command for specific logs only ? i need this configuration for INFO only not DEBUG?
https://regex101.com/r/ZvxlMY/2

 2020/03/01-10:01:01 INFO [firstname "JOHN"] [surename "DOE"] [age "30"] [state "NY"] [id "10001"]
 2020/03/01-10:01:02 DEBUG [firstname "Julie"] [age "58"] [state "AU"] [id "10002"]
 2020/03/01-10:01:02 INFO [firstname "MEGAN"][middlename "myra"] [surename "DOE"] [age "58"] [state "AU"] [id "10052"]

woodcock · ‎03-26-2020

There is no sense in limiting the field extraction. Limit it in your search. Create your stanza based on sourcetype.

richgalloway · ‎03-26-2020

Faster than what? Easier than what? What are your current props.conf settings?

---
If this reply helps you, Karma would be appreciated.

Splunk Field Extraction inside a bracket

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life