Solved: Complex kv extraction

mfscully · ‎12-17-2014

The DateTime and ServerName values are always there, but the kv pairs afterwards are variable.
I tried using the extract command but it sets $DateTime=$ServerName.
What's the best way to extract the kv pairs?

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

View solution in original post

lguinn2 · ‎12-17-2014

Well, you could do this in props.conf

[yoursourcetypename]
EXTRACT-e1=caller_file_name\|(?<caller_file_name>.*?)\|
EXTRACT-e1=caller_package\|(?<caller_package>.*?)\|

etc.

It isn't pretty but it is exact. If you try to extract using the REPORT option, with DELIMs, etc. - it won't work because Splunk expects name-value pairs. And your data doesn't start with a name-value pair. But you've already figured that out...

Complex kv extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases