Breaking of one field values into 2-3 different fields



I have a field called Location and It have data like Call Type, Site, Wing and Room all in just one field called Location. I want to break it down and separate Call Type, Wing and Room as 3 separate fields so that I can achieve filters on a dashboard.

Please let me know if that's achievable.


0 Karma

| stats count
| eval _raw="LOC_ID,LABEL
0000000100020003,Australia NSW Sydney Strathfield"
| multikv forceheader=1
| mvexpand _raw
| table LOC_ID LABEL
`comment("this is sample data")`
| rex field=LOC_ID "(?<Area_code>\d{4})(?<Country_code>\d{4})(?<States_code>\d{4})"
| rex field=LABEL "(?<Country>[^ ]+) (?<State>[^ ]+) (?<Region>[^ ]+) (?<Suburb>[^ ]+)"
| table LOC_ID Area_code Country_code States_code LABEL Country State Region Suburb

Hi, all. this is sample query.
How about this?
I divided it into four according to the example sentence.
Wasn't it divided into three?

@aberkow , I'm sorry to break into a conversation.

0 Karma


You should probably provide an example with delimiters, but you can do this with regex if nothing else.

0 Karma


Hi Anthony,

I have like two fields namely LOC_ID(Location Id) and LABEL(Location Description) so,

0000000100020003 Australia NSW Sydney Strathfield

so as you can see LOC_ID has like 16 digits and each 4 defines a value for example the first 4 0000 defines Country, the next 4 0001 States and so on.

I want to break LABEL field and get 3 new fields separately as State, Region and Suburb like so that I can add 3 filters on my dashboard such as State Region and suburb

0 Karma


I don't fully grasp which of the 4 values in label should go into which of the 3 buckets, but for LOC_ID you can use rex like anthony suggested or used substr if you know that it's always 16 digits

The syntax is as follows:
|eval Country=substr(LOC_ID, 1, 4) and this would take the first 4 digits of LOC_ID and create a new field called Country. You can do this for the other 3 as well. I like substr because it gives you a lot of string flexibility without the complexity of regex.

If you clarify the LABEL question I had I might be able to help there as well.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!