Hi @brdr ...the above 2 SPL are working fine as you can see on the screenshots below.
the easiest one is the split command:

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| eval temp=split(field_id,"/") | eval field_key1=mvindex(temp,2) | eval field_key2=mvindex(temp,4) 
| table field_id field_key1 field_key2

| makeresults
| eval field_id="/key1/value1/key2/value2/key3/value3/key4/value4"
| rex field=field_id max_match=0 "/(?<key>[^/]*)/(?<value>[^/]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 10[ eval _key=mvindex(key, <<FIELD>>), {_key}=mvindex(value, <<FIELD>>) ]

Hi @bowesmana .. instead of k and v, i used key and value, it works fine as well. 

could you pls explain how the last eval works (why do you use "eval _k")

@inventsekar You can use whatever two variables you like, a/b, k/v, key/value

In the foreach using a var name with _ prefix means that it will not be generally visible as a field, so in case you forget to remove the field _key, it will not be seen as part of the data. I often use that just to make sure temporary fields are hidden and don't become part of the working dataset.

The syntax {_key}=mvindex(value,<<FIELD>>) uses Splunk's encoding to create a new field (left hand side) that has the name of the VALUE of _key and it takes the n'th multivalue element from the value MV based on <<FIELD>> which is effectively a loop of the values of the foreach statement 0 1 2 3 4...

It's the same as doing this

| makeresults
| fields - _time
| eval key="NAME", value="ANTONY"
| eval {key}=value

where you will end up with a new field called NAME with the value of ANTONY

There should really be cleanup to remove the temporary field names k,v,_k, so a | fields statement would be a good idea at the end.

Great, thanks a lot @bowesmana ,..much appreciated !