One capture group value becomes the field name for the next capture group

regex splunk

I'm using PCRE2 (PHP >=7.3) in Splunk. I have data that is major delimited by carriage returns/new lines and minor delimited by commas as key/value pairs.

key1="value1",key2="value2",key3="value3",key4="... and so on. The number of key value pairs varies per event and I'd like to be able capture an arbitrary number of key values but in order to do so I would need to dynamically name the values. For example, the value of key1 would become the field name of the value1, key2 would become the field name of value2, etc for as many key/value pairs are found. (.*?)\=\"(.*?)\" is as far as I've gotten but Splunk requires field extractions to be named.

Is there a way to do this?

Thanks in advance, ~Tensore


You can do that at index time using props and transform. There's an example of it at https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Exampleconfigurationsusingfieldtransforms#Handling_events_with_multivalue_fields

Put this in your transforms.conf file:

[mytransform]
REGEX = ([^=]+)=([^,]+)
FORMAT = $1::$2
REPEAT_MATCH = true
MV_ADD = true

Then put this in props.conf:

[mysourcetype]
TRANSFORMS-parse = mytransform

Related

How to enable offline cache (offline browsing) in Chome?
Turn a row's background black if cell has #VALUE! - OpenOffice Calc
How to Create Excel 2010 Scatter Chart with Text Values
My windows 7 downloads files with appended lines
No restore option with Clonezilla
IIS Express returns HTTP Error 400 after calling from Ubuntu WSL
Windows 10 desktop Bluetooth headset not recognized as such
How to calculate all possible combinations of 1 to n variables taking 2 values
Show that $\sum_{k=1}^n \binom{n}{k}k^2=n^2\cdot \:2^{n-2}+n\cdot \:2^{n-2}$.
Strong convexity of Loss function in Logistic Regression
Why $c_1 ^{\omicron(\sigma)} = c_1 \implies c_1(\tau _1) = \tau_1 $ etc.
Show that there exists a regular function that is not a quotient of polynomials