topic Re: How to split a field value and create multiple new fields at search-time? in Splunk Search

How to split a field value and create multiple new fields at search-time?

anoopambli — Wed, 25 Mar 2015 14:40:29 GMT

I have a search which returns drive usage of Windows servers. The information comes up like below in the field:

C: 50.15 😧 2.57
C: 32.32 E: 0.74 F: 0.72 G: 0.74 I: 0.72
C: 45.06 F: 0.77 G: 1.05

I want to split that into individual fields like below,

C:50
D:2.57

I am not able to figure out how to use eval to split this into multiple new fields. Can someone help me with this?

Re: How to split a field value and create multiple new fields at search-time?

cpetterborg — Wed, 25 Mar 2015 14:42:30 GMT

Do you want their fileds named sequentially like drive1, drive2, drive3, etc., or something like driveC, driveD, driveE, etc.?

Re: How to split a field value and create multiple new fields at search-time?

anoopambli — Wed, 25 Mar 2015 14:45:24 GMT

C, D, E..etc

Re: How to split a field value and create multiple new fields at search-time?

cpetterborg — Wed, 25 Mar 2015 15:02:07 GMT

I'm not sure of your reply about naming the fields, so here goes with the easiest (drive1, etc.):

<your search> | rex field=_raw "(?P<drive1>[C-Z]:\s\d+\.\d+)(\s+(?P<drive2>[C-Z]:\s\d+.\d+))?(\s+(?P<drive3>[C-Z]:\s\d+.\d+))?(\s+(?P<drive4>[C-Z]:\s\d+.\d+))?(\s+(?P<drive5>[C-Z]:\s\d+.\d+))?"

This assumes that there is nothing else in the event. If you have the data in a single field, then you can substitute that field name for _raw in the above rex.

If you do want the fields named something else, please describe exactly what you want and I can provide an update to this answer.

Re: How to split a field value and create multiple new fields at search-time?

cpetterborg — Wed, 25 Mar 2015 15:12:06 GMT

I decided to provide the driveC, driveD, etc. method as well. You will have to add to it as needed for additional drives. It also assumes that they will be listed in alphabetical order:

<your search> | rex field=_raw "(C:\s(?P<driveC>\d+\.\d+))?(\s+D:\s(?P<driveD>\d+.\d+))?(\s+E:\s(?P<driveE>\d+.\d+))?(\s+F:\s(?P<driveF>\d+.\d+))?(\s+G:\s(?P<driveG>\d+.\d+))?(\s+H:\s(?P<driveH>\d+.\d+))?(\s+I:\s(?P<driveI>\d+.\d+))?(\s+J:\s(?P<driveJ>\d+.\d+))?(\s+K:\s(?P<driveK>\d+.\d+))?(\s+L:\s(?P<driveL>\d+.\d+))?(\s+M:\s(?P<driveM>\d+.\d+))?"

If they are not to be in alphabetical order, the it will take a bit more to do.

Re: How to split a field value and create multiple new fields at search-time?

richgalloway — Wed, 25 Mar 2015 15:20:37 GMT

This will put an indefinite number of drives into two multi-valued variables.

... | rex max_match=0 "(?P<drive>[A-Z]:)\s(?P<usage>[0-9\.]+)" | ...

You can then use the mv* commands to extract the individual drives and usages.