topic Re: Split string into fields in Splunk Search

Split string into fields

darkins — Wed, 27 Nov 2024 16:49:56 GMT

fieldA:1:10 fieldB:1:3 fieldC:1:2

fieldA:1:10 fieldC:1:2

fieldC:1:1

I want to end up with a field called fieldA, fieldb, and fieldC where the field name is the actual text found in the string as i cant predict which event will contain which combination

Re: Split string into fields

dural_yyz — Wed, 27 Nov 2024 17:18:02 GMT

Do you mean?

fieldA	fieldB	fieldC
1:10	1:3	1:2
1:10		1:2
1:10		1:2
		1:1

Re: Split string into fields

ITWhisperer — Wed, 27 Nov 2024 17:30:23 GMT

Assuming your data is in the _raw field

| eval parts=split(_raw, " ") | mvexpand parts | eval name=mvindex(split(parts,":"),0) | eval value=mvjoin(mvindex(split(parts,":"),1,2),":") | eval {name}=value

Re: Split string into fields

darkins — Wed, 27 Nov 2024 19:23:44 GMT

this is awesome, but is there a way to make the results columns (additional fields on my results)

Re: Split string into fields

ITWhisperer — Wed, 27 Nov 2024 21:14:50 GMT

Please share some raw anonymised events so we can see what you are dealing with so we can try and help you further. Please use the code block </> above to preserve the format of the events so that we can suggest the correct field extractions for you.

Re: Split string into fields

bowesmana — Wed, 27 Nov 2024 22:31:27 GMT

If you want to add these fields to a table you are creating but don't know what the fields are called, then you can use @ITWhisperer technique, but change it slightly so that it is

... | eval cust_field_{name}=value | table fields_you_want cust_field_* | rename cust_field_* as *

which will effectively give you cust_field_fieldA and so on with that consistent prefix, then you can use the table statement to table out the fields you want and all those custom fields and then use wildcard rename to get rid of the prefix.