topic How to split different field values into separate fields in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-split-different-field-values-into-separate-fields/m-p/619804#M215404 <P>Hello Everyone, I have a field in this format and this information is fetched from a json array.</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">Label&nbsp;</TD></TR><TR><TD width="100%">apple 1</TD></TR><TR><TD width="100%">apple 2</TD></TR><TR><TD width="100%">apple 3</TD></TR><TR><TD width="100%">banana 1</TD></TR><TR><TD width="100%">banana 2</TD></TR><TR><TD width="100%">banana 3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How can I split this in&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">Apples</TD><TD width="50%" height="25px">Bananas&nbsp;</TD></TR><TR><TD width="50%" height="25px">apple 1&nbsp;</TD><TD width="50%" height="25px">banana 1</TD></TR><TR><TD width="50%" height="25px">apple 2</TD><TD width="50%" height="25px">banana 2</TD></TR><TR><TD width="50%" height="25px">apple 3</TD><TD width="50%" height="25px">banana 3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>I'm not able to identify what character to use in the split function.</SPAN>I have read various solutions on this page but none of them match this situation.&nbsp;</P><P>Thanks in advance for any help you provide.</P><P>&nbsp;</P> Mon, 07 Nov 2022 07:24:43 GMT anuhya_b 2022-11-07T07:24:43Z How to split different field values into separate fields https://community.splunk.com/t5/Splunk-Search/How-to-split-different-field-values-into-separate-fields/m-p/619804#M215404 <P>Hello Everyone, I have a field in this format and this information is fetched from a json array.</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">Label&nbsp;</TD></TR><TR><TD width="100%">apple 1</TD></TR><TR><TD width="100%">apple 2</TD></TR><TR><TD width="100%">apple 3</TD></TR><TR><TD width="100%">banana 1</TD></TR><TR><TD width="100%">banana 2</TD></TR><TR><TD width="100%">banana 3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How can I split this in&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">Apples</TD><TD width="50%" height="25px">Bananas&nbsp;</TD></TR><TR><TD width="50%" height="25px">apple 1&nbsp;</TD><TD width="50%" height="25px">banana 1</TD></TR><TR><TD width="50%" height="25px">apple 2</TD><TD width="50%" height="25px">banana 2</TD></TR><TR><TD width="50%" height="25px">apple 3</TD><TD width="50%" height="25px">banana 3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><SPAN>I'm not able to identify what character to use in the split function.</SPAN>I have read various solutions on this page but none of them match this situation.&nbsp;</P><P>Thanks in advance for any help you provide.</P><P>&nbsp;</P> Mon, 07 Nov 2022 07:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-different-field-values-into-separate-fields/m-p/619804#M215404 anuhya_b 2022-11-07T07:24:43Z Re: How to split different field values into separate fields https://community.splunk.com/t5/Splunk-Search/How-to-split-different-field-values-into-separate-fields/m-p/619810#M215408 <P>Given that you cannot identify the split character, and you have the benefit of being able to see the data, how do you expect us to be able to do any better?</P><P>Having said that, assuming the split character is a white space, try something like this</P><LI-CODE lang="markup">| rex field=Label "(?&lt;fruit&gt;\S+)" | eval {fruit}=Label | streamstats count as row by fruit | stats values(*) as * by row | fields - row fruit Label</LI-CODE> Mon, 07 Nov 2022 08:12:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-different-field-values-into-separate-fields/m-p/619810#M215408 ITWhisperer 2022-11-07T08:12:10Z