Is it possible to dynamically generate column names from keyvalue data? That is, I don't want to explicitly list the keys to be extracted but instead just pick up anything in a given pattern. Our developers can add arbitrary key-value pairs for debugging purposes and it would be nice to pick those up without updating the sumologic search / field extraction.
So, instead of something like the following from the doc:
* | keyvalue regex "=(.*?)[,|}]" keys "serviceinfo.IP", "loggingcontext.region", "request.method" as ip, region, method
...just say something like:
* | keyvalue regex="(.*?)=(.*?)"
The key name would come from the first group, the value from the second. Is this possible and I haven't figured it out or is this not a supported feature for keyvalue? Is it possible using some other combination of operators?
Please sign in to leave a comment.