1

I'm using PCRE2 (PHP >=7.3) in Splunk. I have data that is major delimited by carriage returns/new lines and minor delimited by commas as key/value pairs.

key1="value1",key2="value2",key3="value3",key4="... and so on. The number of key value pairs varies per event and I'd like to be able capture an arbitrary number of key values but in order to do so I would need to dynamically name the values. For example, the value of key1 would become the field name of the value1, key2 would become the field name of value2, etc for as many key/value pairs are found. (.*?)\=\"(.*?)\" is as far as I've gotten but Splunk requires field extractions to be named.

Is there a way to do this?

Thanks in advance, ~Tensore

Tensore
  • 73
  • 5
  • What do you mean by "the value of key1 would become the field name of the value1"? Could you include an example in your post? – harrymc Oct 04 '21 at 20:23
  • Sure, for example: `dv_name=Tensore` could be captured with `(.*?)\=\"(.*?)\"` but I would have to provide a field name for Splunk: `dv_name\=\"(?.*?)\"`. This means I have to know the key name in order to provide the `dv_name`. I'd like to dynamically capture the key name, to provide the naming of the value in the key value pair: `(.*?)\"` Since there are varying amount of key/value pairs I would have to explicitly reference each key's name in order for the regex to work. I would prefer not to do that if possible. – Tensore Oct 04 '21 at 20:38

1 Answers1

1

You can do that at index time using props and transform. There's an example of it at https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Exampleconfigurationsusingfieldtransforms#Handling_events_with_multivalue_fields

Put this in your transforms.conf file:

[mytransform]
REGEX = ([^=]+)=([^,]+)
FORMAT = $1::$2
REPEAT_MATCH = true
MV_ADD = true

Then put this in props.conf:

[mysourcetype]
TRANSFORMS-parse = mytransform
RichG
  • 143
  • 6