topic Re: How can I split values based on two possible delimiters? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214074#M62788 <P>Creative solution to make your search a lot less cluttered. </P> Tue, 14 Apr 2020 18:20:45 GMT Yepeza 2020-04-14T18:20:45Z How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214067#M62781 <PRE><CODE> | eval field2=mvindex(split(word, " "),2) </CODE></PRE> <P>How can I split based on either space " " or comma ","<BR /> Beforehand, I do not know which delimiter will be there, so I want to use both.</P> Mon, 07 Nov 2016 21:23:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214067#M62781 smhsplunk 2016-11-07T21:23:22Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214068#M62782 <P>Why don't you rex the space into a comma first and then split on comma only:</P> <PRE><CODE>your base query to give you word | rex mode=sed field=word "s/\ /,/g" | split now on comma here </CODE></PRE> Mon, 07 Nov 2016 21:30:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214068#M62782 gokadroid 2016-11-07T21:30:18Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214069#M62783 <P>You can use makemv command with tokenizer option to achieve the same. Try something like this</P> <PRE><CODE>your current search | eval field2=word | makemv tokenizer="(\w+)" field2 </CODE></PRE> <P>OR</P> <PRE><CODE>your current search | eval field2=word | makemv tokenizer="([^\s,]+)" field2 </CODE></PRE> Mon, 07 Nov 2016 22:19:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214069#M62783 somesoni2 2016-11-07T22:19:20Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214070#M62784 <P>You can try replace command on one of the delimiter fields and replace with other delimiter (in following case comma replaced with space) and then use single delimiter for split(in this case only delimiter will be space: </P> <P>your base search <STRONG>| eval word=replace(word,","," ") |</STRONG> eval field2=mvindex(split(word, " "),2) </P> Tue, 08 Nov 2016 05:10:24 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214070#M62784 niketn 2016-11-08T05:10:24Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214071#M62785 <P>This is how I wold do it. You take the field where you have the <CODE>word</CODE> and then split it inn to two new field.</P> <PRE><CODE>your search | rex field=word "(?&lt;field1&gt;\w+)[\s,](?&lt;field2&gt;\w+)" </CODE></PRE> <P>Then you should have first part in <CODE>field1</CODE> and second part in <CODE>field2</CODE></P> Tue, 08 Nov 2016 06:55:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214071#M62785 lakromani 2016-11-08T06:55:07Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214072#M62786 <P>how can I skip a space (if field2 is empty) and chose the next character , would I have to use if statement ?</P> Wed, 09 Nov 2016 20:12:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214072#M62786 smhsplunk 2016-11-09T20:12:03Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214073#M62787 <P>Can you give example of that word? If condition can definitely be used.</P> Wed, 09 Nov 2016 21:41:23 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214073#M62787 niketn 2016-11-09T21:41:23Z Re: How can I split values based on two possible delimiters? https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214074#M62788 <P>Creative solution to make your search a lot less cluttered. </P> Tue, 14 Apr 2020 18:20:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-split-values-based-on-two-possible-delimiters/m-p/214074#M62788 Yepeza 2020-04-14T18:20:45Z