Solved: Re: How to extract key value pairs out of a multiv...

HeinzWaescher · ‎05-02-2016

Hi,

is it possible to extract key value pairs out of a multivalue field like this:

multivaluefield: sales:100 ,refunds: 25

What I need is

multivaluefield.sales: 100
multivaluefield.refunds: 25

The amount of entries in the multivaluefield isn't constant, so there could be 1-n entries.

Thanks in advance
Heinz

javiergn · ‎05-02-2016

Could you transform that multivalue field into JSON first and then use spath instead maybe?
For example:

| stats count
| fields - count
| eval multivaluefield = "sales:100,refunds: 25"
| eval multivaluefield_temp = multivaluefield
| fields - multivaluefield
| eval multivaluefieldJSON = "{ \"multivaluefield\" : {\"" . replace(replace(multivaluefield_temp, ":", "\":\""), ",", "\" , \""). "\"} }"
| spath input=multivaluefieldJSON

Output:

multivaluefield.refunds     multivaluefield.sales   multivaluefieldJSON     multivaluefield_temp
25  100     { "multivaluefield" : {"sales":"100" , "refunds":" 25"} }   sales:100,refunds: 25

If not, would the following work for you maybe?

| stats count
| fields - count
| eval multivaluefield = split("sales:100,refunds: 25", ",")
| mvexpand multivaluefield
| eval temp = _raw
| eval _raw = multivaluefield
| extract kvdelim=":" pairdelim=","
| eval _raw = temp
| fields - temp

View solution in original post

DalJeanis · ‎01-03-2017

if you already have this in an actual Splunk multivalue field, then it goes like this -

| mvexpand multivaluefield
| rex field=multivaluefield "^(?[A-Za-z]+):(?[0-9]+)$"

So in your output, OneField will contain "sales" or "refunds" and OneValue will contain the respective values 100 or 25.

Also, if you have it in a single "flattened" field, separated by commas - since you're showing a comma in your example - then you may need to do this first

| makemv multivalued delim=","

javiergn · ‎05-09-2016

Hi, did any of the comments below help you on this?
If yes, can you mark it as answered?
If not, is there any else we can do to help?
Unanswered questions make me sad 😞

HeinzWaescher · ‎05-09-2016

Sorry, I did not have the time to work on it yet 😞
But it is on my list and, of course, I'll write feedback whether I have been able so solve my problem

woodcock · ‎05-02-2016

You should be able to do this with unanchored RegEx, like this in props.conf:

[mv_column_kvps]
FORMAT = $1::$2
MV_ADD = 1
REGEX = ([^:,]+)[:]\s*([^;,.=()]*)(?:\s*[,]|$)
SOURCE_KEY = multivaluefield
disabled = 1

javiergn · ‎05-02-2016

Could you transform that multivalue field into JSON first and then use spath instead maybe?
For example:

| stats count
| fields - count
| eval multivaluefield = "sales:100,refunds: 25"
| eval multivaluefield_temp = multivaluefield
| fields - multivaluefield
| eval multivaluefieldJSON = "{ \"multivaluefield\" : {\"" . replace(replace(multivaluefield_temp, ":", "\":\""), ",", "\" , \""). "\"} }"
| spath input=multivaluefieldJSON

Output:

multivaluefield.refunds     multivaluefield.sales   multivaluefieldJSON     multivaluefield_temp
25  100     { "multivaluefield" : {"sales":"100" , "refunds":" 25"} }   sales:100,refunds: 25

If not, would the following work for you maybe?

| stats count
| fields - count
| eval multivaluefield = split("sales:100,refunds: 25", ",")
| mvexpand multivaluefield
| eval temp = _raw
| eval _raw = multivaluefield
| extract kvdelim=":" pairdelim=","
| eval _raw = temp
| fields - temp

HeinzWaescher · ‎05-13-2016

the first option solves it, thanks a lot!

How to extract key value pairs out of a multivalue field?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk