Search code examples
loggingchartssplunkdata-extraction

Splunk extract all values from array field


I have log entries containing counts per country in format:

Map(USA -> 1234, CAN -> 5678, GBR -> 9012, FRA -> 3456)
Map(USA -> 1238, CAN -> 5692, GBR -> 9024, FRA -> 3478)
...

I want to make a timechart in Splunk with one series per country.

This is what I tried:

| rex "Map\((?<countries>([A-Z]+\ ->\ \d+(,\ )?)*)\)" | rex field=countries max_match=50 "(?<countries>[A-Z]+\ ->\ \d+)(,\ )?" | table _time countries

That works great and gives us two columns:

  1. time
  2. counts per country - array of entries in format "USA -> 1234"

Then I tried to create a timechart, I replaced:

| table _time countries

with:

| rex field=countries (?<country>[A-Z]+)\ ->\ (?<count>\d+) | timechart count by country limit=0

But the result is that all counts are taken from the last country in the list.

How can I extract the counts per country for all items in array?


Solution

  • The following rexs should be sufficient to extract the country names and counts

    | makeresults 
    | eval m="Map(USA -> 1234, CAN -> 5678, GBR -> 9012, FRA -> 3456)"
    | rex field=m max_match=0 "(?<cc>\w+\s+->\s+\d+)"
    | mvexpand  cc
    | rex field=cc "(?<country>\w+) -> (?<count>\d+)"
    | fields country, count
    | eval {country}=count
    | fields - country, count