I have a dataset where the rows in my search results all have a 'value' field, and there's another field that specifies what exactly this is the value of.
So picture having
name="color" value="red"
how could I get these rows to have
color="red"
And of course this is given that i have no idea what any of the names are going to be up front so I have to set it dynamically.
Since there's a lot going on in the regex already I am a bit reluctant to try and do it in the transforms.conf stanza itself. However I'm at a loss for what such a regex would like like so any help there is appreciated too. 😃
I'm sure someone has run into this before and rather than hack my way through it I thought I'd ask what the best practice is.
There are two ways that this can be done.
... | eval {name}=value | ...
... | chart first(value) by <rowid> name
.If you still want to do it in transforms.conf, you would do:
REGEX = name="(?<_KEY_1>[^"])" value="(?<_VAL_1>[^"])"
i.e., Splunk will take pairs of named extractions and make KV pairs out of them. The above would be equivalent to:
REGEX = name="([^"])" value="([^"])"
FORMAT = $1::$2
Presumably your data looks something like:
{ name="color" value="red" }, { name="width" value="300" }, { name="height" value="150" }
which is fine, as the field extraction will get repeated by default.
The Splunk default extractions for WMI and Windows Event Logs in etc/system/default/transforms.conf use this general technique.
Thanks Gerald. I'd forgotten about the FORMAT key and I've just been doing named extractions. I'll take another look and this may be the way to go. My events are considerably messier than that unfortunately but even so, the FORMAT may well clean things up.
There are two ways that this can be done.
... | eval {name}=value | ...
... | chart first(value) by <rowid> name
.awesome. Both are good solutions. I tend to prefer the "chart first(value) over