Split raw string by a separator

ifbeli · ‎12-18-2017

Hi,

Basically I have a raw string, part of huge csv file.

Additional Role Service Line: None
Comments / Additional information:
ACTION: *** New Starter - Add Role(s) ***";"whatever info
Email Address: some_email
First Name: name

I wanna extract everything after 'Comments'. I came up with the below 2 queries, but none of them is working. I know it might be a basic query, but I am new to Splunk.

index=test_regular_expression source="report_test_data.csv"  | fields Description | eval tmp_result=split(Description, "Comments") | eval result=mvindex(tmp_result,0) | fields + result 

index=test_regular_expression source="report_test_data.csv" | fields Description | makemv delim="Comments" Description allowempty=false

Ignore the index name, the csv file column is called 'Description'.

richgalloway · ‎12-18-2017

Perhaps this will get you going in the right direction.

index=test_regular_expression source="report_test_data.csv"  | rex field=Description "Comments(?<Comments>.*)" | ...

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎12-18-2017

Try this

index=test_regular_expression source="report_test_data.csv"  | fields Description  | rex field=Description "Comments(?<Comments>.+)"

Split raw string by a separator

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!