Display table with field values having spaces

Nidd · ‎10-31-2019

I have a field named Source which contains spaces.
eg:

index=myIndex |Source=My Source Value|ComponentValue=My Component Value

To make this field displayed in a table, I used the following command.

rex "Source=(?<Source>[\S\s]*),{15}"

For which, I get

-----------------------
Source
-----------------------
My
My Source Value
My
My

If I'm doing like:

rex "Source=(?<Source>[\S\s]*)" | table Source | rename Source as source

I get the value I require, but also the entire log as well.

i.e:

-----------------------
Source
-----------------------
My Source Value
index=myIndex |Source=My Source Value|ComponentValue=My Component Value

My Source Value
index=myIndex |Source=My Source Value|ComponentValue=My Component Value

Can someone please help how to achieve this?

arjunpkishore5 · ‎10-31-2019

Are you trying to extract the value of Source from the following text ? "|Source=My Source Value|ComponentValue=My Component Value" If yes, use this

| rex field=_raw "Source=(?<Source>[^|]+)"

Hope this helps.

Cheers

kamlesh_vaghela · ‎10-31-2019

@Nidd

Try | rex "Source=(?<Source>[\S\s]*)\|"

Example:

| makeresults 
| eval _raw=" index=myIndex |Source=My Source Value|ComponentValue=My Component Value" 
| rex "Source=(?<Source>[\S\s]*)\|"

Display table with field values having spaces

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

Display table with field values having spaces

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University