Hi,
Well, there must be a really easy answer for this, but I seem to be mentally blocked. 🙂
So if I have field after a search that contains a string with regular key/value syntax, but I don't know what keys will be there, how can I extract those keys into actual Splunk fields?
E.g.
... | eval bla="gc_bla=bla gc_hsg=1234 gc_foo=bar" | ...
How do I get gc_bla, gc_hsg and gc_foo as fields in Splunk that I can work with?
I figured out how to do it with extract and something in transforms.conf, but I expect there is a more straight forward way?
hi knielsen
Use this search code to extract your field
.......|rex field=bla "\"gc_bla\=(?<field1>[\w+]+)\s+gc_hsg\=(?<field2>[\d+]+)\s+gc_foo=(?<field3>[\d+]+)\""|table field1 field2 field3
You can use this regex in you transform.conf file
I cannot use this kind of regex because "I don't know what keys will be there". Also, I cannot be sure of the order. Otherwise that would be the way to go.
I would go for the props and transforms option.
Your transforms.conf can be something as simple as (you might need to improve the regex below by the way):
[mytransform]
REGEX = \"(?<_KEY_1>\w+)=(?<_VAL_1>\w+)\"
FORMAT = $1::$2
And then in your props.conf
[sourcetype BLA]
...
REPORT-abc = mytransform
http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Transformsconf
That's almost exactly what I came up with already, but thinking that using transforms.conf would be overkill. 🙂 The key=value structure in the string is so simple that I was thinking there must be a way to this without this kind of configuration.
If there is no more generic way, I'll accept this later.