https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405114#M71902 <P>I have a lookup that I try to divide using a "line break" as a delimiter. It's kind of hard to explain so I attached a screenshot of what I would like to do.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7394i103173472BBC09A3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> In the screenshot you can see that there is a line break between the data (eg. Data1 and Data2). </P> <P>Would this be possible to do in splunk? thanks</P> Wed, 24 Jul 2019 00:32:07 GMT salt87 2019-07-24T00:32:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405114#M71902 <P>I have a lookup that I try to divide using a "line break" as a delimiter. It's kind of hard to explain so I attached a screenshot of what I would like to do.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7394i103173472BBC09A3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> In the screenshot you can see that there is a line break between the data (eg. Data1 and Data2). </P> <P>Would this be possible to do in splunk? thanks</P> Wed, 24 Jul 2019 00:32:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405114#M71902 salt87 2019-07-24T00:32:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405115#M71903 <P>Is this your input file? And are you trying to add this file into Splunk and process it?</P> <P>If yes, what's the expected processed result out of this input file?</P> Sat, 27 Jul 2019 06:09:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405115#M71903 jawaharas 2019-07-27T06:09:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405116#M71904 <P>Splunk is a plain-text tool so why in the world would you post an image? We cannot help you.</P> Sun, 28 Jul 2019 12:50:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405116#M71904 woodcock 2019-07-28T12:50:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405117#M71905 <P>I wonder if some of your terminology is keeping folks from being able to form a constructive answer... a lookup in Splunk is one of several formats, but they are all specific and structured. The delimiter is specific. <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutlookupsandfieldactions">https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutlookupsandfieldactions</A></P> <P>Depending on how large and dynamic this file is, you might be better off pre-processing it and then feeding it in as a lookup either to the KV store or as a csv. But you could also legitimately read that file (if it is very dynamic and perhaps very large) into an index (you can have as many indexes as you like) using whatever you like as your delimiter. When the destination is an index... Splunk has a very powerful parsing capability that allows you to describe whatever the shape of your line and the break. You would do this in the <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/propsconf">props.conf</A> file. </P> <P>The confusion I think is that you appear to have data that is the result of a report on top (not events, nor is it a format for which you would use as a lookup) and on the bottom is something more along the lines of what you might use for a lookup. But ALL of it is "pipe" delimited. Each line would be broken with a carriage return and line feed <CODE>([\r\n]+)</CODE> and you can choose to represent all of it in a number of ways. You are going to want to start <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Configureeventlinebreaking">here:</A> </P> <P>Hopefully this will get you started... if not. Can you perhaps elaborate on your use case please?</P> Mon, 29 Jul 2019 03:29:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405117#M71905 rsennett_splunk 2019-07-29T03:29:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405118#M71906 <P>" It's kind of hard to explain so I attached a screenshot of what I would like to do."</P> Sun, 11 Aug 2019 23:18:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405118#M71906 salt87 2019-08-11T23:18:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405119#M71907 <P>You are still not make sense. Show us your raw event data, then show us a mockup of your desired final output.</P> Mon, 12 Aug 2019 02:55:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-divide-field-value-using-quot-line-break-quot-as-a/m-p/405119#M71907 woodcock 2019-08-12T02:55:03Z