https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411036#M167822 <P>sorry for the format of the text it appears. I could not preview it or see the option to edit my post.</P> Fri, 17 Aug 2018 05:10:58 GMT afulamba 2018-08-17T05:10:58Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411035#M167821 <P>Hi there,<BR /> Can someone help me with reading the tokenized string and assign the keys to each index retrieved. It is difficult for me as it is not key/value format to read.</P> <P>Log sample:<BR /> <CODE><BR /> CustomerService<CODE>getPointDetails</CODE>6686<CODE></CODE>0x00000000<CODE>Successful Response</CODE>2<CODE>3</CODE>0<CODE>Louis/ST=Missouri/C=US</CODE> <CODE></CODE>PRODESB6_STL|18234799|180817043259896<CODE>SAML</CODE>0<CODE>0</CODE><BR /> </CODE><BR /> I know which values is for what field in the sequence they appear in the logs. It does has space as a value too. I did tried below but since there are more than 20 fields I have to extracts, the query becomes very long and ugly and can cause performance too.</P> <P><CODE><BR /> index=app sourcetype = audit<BR /><BR /> | eval tokenString=mvindex(split(mvindex(split(_raw,"gtid("),1),"): <CODE>"),1) <BR /> | eval temp=split(tokenString,"</CODE>") <BR /> | eval field0=mvindex(temp,0) <BR /> | eval field1=mvindex(temp,1)<BR /><BR /> </CODE><BR /> I did check few regex option on web, that was also long query too.</P> <P>Please advise.</P> <P>Thanks,</P> Fri, 17 Aug 2018 05:06:10 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411035#M167821 afulamba 2018-08-17T05:06:10Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411036#M167822 <P>sorry for the format of the text it appears. I could not preview it or see the option to edit my post.</P> Fri, 17 Aug 2018 05:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411036#M167822 afulamba 2018-08-17T05:10:58Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411037#M167823 <P>@afulamba use the <CODE>&lt;code&gt;</CODE> button on Splunk Answers i.e. <CODE>101010</CODE> to post your code so that special characters do not escape. You can also select code to highlight and use shortcut <CODE>Ctrl+G</CODE> to convert to code (which adds four spaces prior to every line of code)</P> Fri, 17 Aug 2018 06:34:04 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411037#M167823 niketn 2018-08-17T06:34:04Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411038#M167824 <P>@niketnilay: Thank you! I will take a not of it for my next posts.</P> Fri, 17 Aug 2018 07:12:17 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411038#M167824 afulamba 2018-08-17T07:12:17Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411039#M167825 <P>Reposting sample log and my code<BR /> <CODE><BR /> CustomerService<CODE>getPointDetails</CODE>6686<CODE>435</CODE>52<CODE>8</CODE>52<CODE>0x00000000</CODE>Successful Response<CODE>2</CODE>3<CODE>0</CODE>Louis/ST=Missouri/C=US<CODE>PRODESB6_STL|18234799|180817043259896SAML</CODE>0<CODE>0</CODE><BR /> </CODE></P> <P>My code:<BR /> <CODE><BR /> </CODE><BR /> index=app sourcetype = audit | eval tokenString=mvindex(split(mvindex(split(_raw,"gtid("),1),"): "),1) <BR /> | eval temp=split(tokenString,"`") <BR /> | eval field0=mvindex(temp,0) <BR /> | eval field1=mvindex(temp,1)</P> Fri, 17 Aug 2018 07:15:24 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411039#M167825 afulamba 2018-08-17T07:15:24Z https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411040#M167826 <P>Can someone help me here, please?</P> <P>Thanks,<BR /> Amit</P> Sat, 18 Aug 2018 02:55:41 GMT https://community.splunk.com/t5/Splunk-Search/Assign-keys-to-tokenised-string/m-p/411040#M167826 afulamba 2018-08-18T02:55:41Z