https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410448#M118425 <P>HI @pstamati,</P> <P>You can use rex command. Can you please try the following search?</P> <PRE><CODE>| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10 "\"(?&lt;Values&gt;.*?)\"" </CODE></PRE> Tue, 26 Jun 2018 17:22:34 GMT kamlesh_vaghela 2018-06-26T17:22:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410447#M118424 <P>Hello everyone, I have this field with values that are retrieved withing "" but not separated by any character, and I was wondering how to represent those into different lines using the Split function, but I'm not able to split these are I'm not able to identify what character to use in the split function. <BR /> See an example of the field value:</P> <PRE><CODE>"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666" </CODE></PRE> <P>I tried using <CODE>|eval Values=split(Value,"")</CODE> but didn't work.</P> <P>See results:</P> <PRE><CODE>" R T S 8 5 1 " " S A S P R O D </CODE></PRE> <P>Any idea ?<BR /> Thanks in advance for any help you can provide.</P> Tue, 26 Jun 2018 16:58:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410447#M118424 pstamati 2018-06-26T16:58:47Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410448#M118425 <P>HI @pstamati,</P> <P>You can use rex command. Can you please try the following search?</P> <PRE><CODE>| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10 "\"(?&lt;Values&gt;.*?)\"" </CODE></PRE> Tue, 26 Jun 2018 17:22:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410448#M118425 kamlesh_vaghela 2018-06-26T17:22:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410449#M118426 <P>you have 4 single quotes or 2 double quotes. what happens if you try this enclosing them like this |eval Values=split(Value,"""")</P> Tue, 26 Jun 2018 17:23:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410449#M118426 Sukisen1981 2018-06-26T17:23:30Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410450#M118427 <P>another way is to use regex,that would surely work out</P> Tue, 26 Jun 2018 17:24:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410450#M118427 Sukisen1981 2018-06-26T17:24:00Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410451#M118428 <P>Just have in mind \"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\" is just the value of the filed I want to split into multiple values. the same field will have different values.</P> <P>To explain this better, the field contains multiple "Usernames". Each line will have different Usernames all together in the same field value. I want to splint the field having 1 line per Username, so instead of having </P> <P>"RTS851""SASPROD""SYS""JYCX""DEVUSER"</P> <P>I get something like<BR /> "RTS851"<BR /> "SASPROD"<BR /> "SYS"<BR /> "JYCX"<BR /> "DEVUSER"</P> <P>Is it clearer?</P> Tue, 26 Jun 2018 17:40:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410451#M118428 pstamati 2018-06-26T17:40:28Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410452#M118429 <P>Let’s say the field name is abc</P> <P>| makemv abc delims=‘“\”’<BR /> | mvexpand abc<BR /> | rex mode=sed “s/“|\//g”</P> Tue, 26 Jun 2018 17:42:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410452#M118429 jkat54 2018-06-26T17:42:44Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410453#M118430 <P>These are 4 different records, where the value of the field Output contains a list of usernames as follows:</P> <P>"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666"<BR /> "SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS"<BR /> "SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS""ESTADISTICA"<BR /> "LBS$ACISTERN""SYS""ADMINDBA""LBS$AORELLAN""LBS$ROLGONZA""LBS$PRANA""SYSTEM"</P> <P>What I want, is to be able to have the value of each field "Output" like it follows:<BR /> RTS851<BR /> SASPROD<BR /> SYS<BR /> JYCX<BR /> DEVUSER<BR /> SCFL<BR /> SYSTEM<BR /> CZ<BR /> VATUSER<BR /> CYBERDBUSER<BR /> ILOG666</P> Tue, 26 Jun 2018 18:59:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410453#M118430 pstamati 2018-06-26T18:59:44Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410454#M118431 <P>| rex mode=sed “s/“|\//g” this part give an error, that I cannot solve. Any idea?<BR /> Error in 'SearchParser': Missing a search command before '\'. </P> Tue, 26 Jun 2018 20:38:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410454#M118431 pstamati 2018-06-26T20:38:14Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410455#M118432 <P>It worked. I got confused with the |makeresults, command but once I removed that and the first eval, it worked pretty good. Many thanks!!</P> Tue, 26 Jun 2018 20:49:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410455#M118432 pstamati 2018-06-26T20:49:50Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410456#M118433 <P>Oh it’s because I didn’t surround the sed expression with single quotes.</P> Tue, 26 Jun 2018 21:36:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410456#M118433 jkat54 2018-06-26T21:36:44Z https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410457#M118434 <P>Alternative without regex would be to replace the <CODE>""</CODE> by a single character using the <CODE>replace()</CODE> function. Then split by that character.</P> <P>For example replace double quotes by semi-colon (and trim of the quotes at start and end) and then split by semi-colon:</P> <PRE><CODE>| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | eval test = replace(_raw,"\"\"",";") | eval test = replace(test,"\"","") | eval test = split(test,";") </CODE></PRE> Wed, 27 Jun 2018 07:16:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-values-within-a-field-that-are-not-separated-by-any/m-p/410457#M118434 FrankVl 2018-06-27T07:16:24Z