Solved: How to split single line field value into multiple...

pavanae · ‎04-06-2022

I have a field value in splunk with the below format :-

field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "

Now How can I split the abpve field value into multiple lines to make it more user redable using eval and regex

field_X = 
AB 012 - some text here! 
HOST INFORMATION: 
Source: 1.1.2.3 
DETAILS: 
Destination ports: 777 33 
Occurrences: 2244 
Destination ip counts: 146 
Actions: blocked 
Order Techniques : X3465

All I wanted is replace "--" with a line space or something to divide the field into multiple lines from 1 line?

bowesmana · ‎04-06-2022

See this example

| makeresults
| eval field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "
| makemv delim="--" field_X
| eval field_X=trim(field_X)

View solution in original post

bowesmana · ‎04-06-2022

See this example

| makeresults
| eval field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "
| makemv delim="--" field_X
| eval field_X=trim(field_X)

bowesmana · ‎04-06-2022

Note that field_X will then be a multi-value field with 9 values

How to split single line field value into multiple lines using regex?

field extraction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms