Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Values with Pipe as String

andimak
New Member
‎06-16-2017 12:45 AM

Hi,

I have events which look like that:
a=test1 b=test2 func=test3|test4|test5
and
a=test1 b=test2 func=test5

if a make a search on func i get results like test3 or test5, but i want "test3|test4|test5" and test5 as result.
I tried to extract a new Field but its not working like i want it. It doesnt work with a delimiter space cause i will get the other key=value pairs too in this extracted field. And I dont really know how to make the regex extracted field to do this.

regards

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎06-16-2017 05:01 AM

In a search pipeline, you can do this to turn those three values into single values in a multivalue field...

| makemv delim="|" func

Here's a related answer - https://answers.splunk.com/answers/174880/how-to-extract-pipe-separated-subfields-from-a-fie.html

Hmmm. The pipes should not interfere with a normal extraction or a normal search.

Just be aware that with any command using regular expressions (regex, match, etc) you will need to escape the pipe character, or it will be interpreted as "OR".

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...