I've got some log data that has a multi-line event this format:
2011-04-28 11:40:00|ACTION|1304005199906869|stuff|stuff|stuff
SPARAM|1304005199906869|PartNumber|1613034
SPARAM|1304005199906869|OtherParameter|8528
SPARAM|1304005199906869|OtherParameter2|true
Thanks the the help of others on this forum, I can now pull each of the key-value pairs from the SPARAM rows, but I have to use one field extract per possible key:
... | rex field=_raw "(?m-s)^SPARAM\|\d*\|PartNumber\|(?<SearchPartNumber>.*)"
Is it possible to write one extract that would give me all the keys as different fields? I've got about 20 possible keys, and I want to make this extract future-proof as well?
Can I write something that will give me "PartNumber", "OtherParameter" and "OtherParameter2" as field names?
Thanks.
... View more