Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex every first event in the pair

ryastrebov
Communicator
‎03-11-2016 08:07 AM

Hello splunkers!

I have event in this format:

id_param1,id_value1,id_param2,id_value2,...,id_paramX,id_valueX

for example:

2,45,3,14,31,8,4356,abcd,4421,3,9,foo

I need to transform this into key-value pair:

2   45
3   14
31  8
4356   abcd
4421   3
9   foo

How I can make it by rex in Splunk?

Best regards,
Roman

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-11-2016 08:29 AM

Try this:

| yoursearch
| rex field=_raw max_match=0 "(?<key>[^\,]++)\,(?<value>[^\,]++)\,?"
| eval keyvalues = mvzip(key,value)

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-11-2016 08:29 AM

Try this:

| yoursearch
| rex field=_raw max_match=0 "(?<key>[^\,]++)\,(?<value>[^\,]++)\,?"
| eval keyvalues = mvzip(key,value)
Reply
Solved! Jump to solution

ryastrebov
Communicator
‎03-11-2016 08:34 AM

Great!!!

Thank you very much, it's working!

Best regards,
Roman

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...