I'm using PCRE2 (PHP >=7.3) in Splunk. I have data that is major delimited by carriage returns/new lines and minor delimited by commas as key/value pairs.
key1="value1",key2="value2",key3="value3",key4="... and so on. The number of key value pairs varies per event and I'd like to be able capture an arbitrary number of key values but in order to do so I would need to dynamically name the values. For example, the value of key1 would become the field name of the value1, key2 would become the field name of value2, etc for as many key/value pairs are found. (.*?)\=\"(.*?)\" is as far as I've gotten but Splunk requires field extractions to be named.
Is there a way to do this?
Thanks in advance, ~Tensore
dv_name=Tensorecould be captured with(.*?)\=\"(.*?)\"but I would have to provide a field name for Splunk:dv_name\=\"(?<dv_name>.*?)\". This means I have to know the key name in order to provide thedv_name. I'd like to dynamically capture the key name, to provide the naming of the value in the key value pair:(<whatever_this_is)\=\"(?<becomes_this>.*?)\"Since there are varying amount of key/value pairs I would have to explicitly reference each key's name in order for the regex to work. I would prefer not to do that if possible.