topic How to divide field value to 2 fields? in Splunk Search

How to divide field value to 2 fields?

ednk — Tue, 03 May 2022 16:13:09 GMT

I requested to exclude 2 values from one field value.

I mean for each event I have "file_name", that written in the same shape.

the city is first, and than the tool, so i want to extract these value for each event

file_name	city	tool
montreal - tool3 - SFR - Alert ID 123456 - (3 May 2022 01:20:24 IDT)	montreal	tool3

richgalloway — Tue, 03 May 2022 15:36:52 GMT

I'd use rex.

| rex field=file_name "(?<city>\S+)\s*-\s*(?<tool>\S+)"

The regex may need to be adjusted depending on the expected values for city and tool.

ednk — Wed, 04 May 2022 12:11:08 GMT

thanks!

and how can I extract the time "3 May 2022 01:20:24" ?

richgalloway — Wed, 04 May 2022 12:37:16 GMT

That's easy to do with a separate rex command.

| rex field=file_name "\((?<timestamp>[^\)]+)"