Display table with field values having spaces

Nidd · ‎10-31-2019

I have a field named Source which contains spaces.
eg:

index=myIndex |Source=My Source Value|ComponentValue=My Component Value

To make this field displayed in a table, I used the following command.

rex "Source=(?<Source>[\S\s]*),{15}"

For which, I get

-----------------------
Source
-----------------------
My
My Source Value
My
My

If I'm doing like:

rex "Source=(?<Source>[\S\s]*)" | table Source | rename Source as source

I get the value I require, but also the entire log as well.

i.e:

-----------------------
Source
-----------------------
My Source Value
index=myIndex |Source=My Source Value|ComponentValue=My Component Value

My Source Value
index=myIndex |Source=My Source Value|ComponentValue=My Component Value

Can someone please help how to achieve this?

arjunpkishore5 · ‎10-31-2019

Are you trying to extract the value of Source from the following text ? "|Source=My Source Value|ComponentValue=My Component Value" If yes, use this

| rex field=_raw "Source=(?<Source>[^|]+)"

Hope this helps.

Cheers

kamlesh_vaghela · ‎10-31-2019

@Nidd

Try | rex "Source=(?<Source>[\S\s]*)\|"

Example:

| makeresults 
| eval _raw=" index=myIndex |Source=My Source Value|ComponentValue=My Component Value" 
| rex "Source=(?<Source>[\S\s]*)\|"

Display table with field values having spaces

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Display table with field values having spaces

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits