Solved: How split up a sentence string into multiple words

ibowman1995 · ‎12-02-2019

Hi,
let's say there is a field like this:
userData= Split this string

Is it possible to extract this sentence into different fields?
userData1=split
userData2=this
userData3=string

dindu · ‎12-02-2019

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

View solution in original post

dindu · ‎12-02-2019

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

to4kawa · ‎12-02-2019

Hi, @ibowman1995
Yes, you can. try this.

| makeresults 
| eval userData="Split this string"
| rex field=userData "(?<userData1>[^ ]+) (?<userData2>[^ ]+) (?<userData3>[^ ]+)"

richgalloway · ‎12-02-2019

Yes, it's possible. Look in the search docs for split. It returns a multi-value field with the words from the original string. Use mvindex() to access them.

... | eval words = split(userData, " ") 
| eval userData1=mvindex(userData, 0), userData2=mvindex(userData,1), userData3=mvindex(userData, 2)

---
If this reply helps you, Karma would be appreciated.

jacono64 · ‎02-07-2020

i can confirm this works bc i had multiple fields in one string.

How split up a sentence string into multiple words

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation