I'm trying to pull KV pairs from a event field, and having trouble. The issue is I don't know what the field names will be, nor how many. The parent field value also groups the KV pairs within braces, adding and additional layer of brain trauma. In testing, /([^{=,]+)=([^,}]+)/g does the job in regex101, but not splunk. Such as: | makeresults | eval msg.additionalValues="{field1=value1, field2=value2, field3=value3}" | rex field=msg.additionalValues "/([^{=,]+)=([^,}]+)/g" Results in: Error: "Error in 'rex' command: The regex '/([^{=,]+)=([^,}]+)/g' does not extract anything. It should specify at least one named group. Format: (?<name>...)." Since i have multiple named groups, how is this possible?
... View more