Solved: How to split single line field value into multiple...

pavanae · ‎04-06-2022

I have a field value in splunk with the below format :-

field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "

Now How can I split the abpve field value into multiple lines to make it more user redable using eval and regex

field_X = 
AB 012 - some text here! 
HOST INFORMATION: 
Source: 1.1.2.3 
DETAILS: 
Destination ports: 777 33 
Occurrences: 2244 
Destination ip counts: 146 
Actions: blocked 
Order Techniques : X3465

All I wanted is replace "--" with a line space or something to divide the field into multiple lines from 1 line?

bowesmana · ‎04-06-2022

See this example

| makeresults
| eval field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "
| makemv delim="--" field_X
| eval field_X=trim(field_X)

View solution in original post

bowesmana · ‎04-06-2022

See this example

| makeresults
| eval field_X = "AB 012 - some text here! ---- HOST INFORMATION: ---- Source: 1.1.2.3 ---- DETAILS: -- Destination ports: 777 33 -- Occurrences: 2244 -- Destination ip counts: 146 -- Actions: blocked -- Order Techniques : X3465 "
| makemv delim="--" field_X
| eval field_X=trim(field_X)

bowesmana · ‎04-06-2022

Note that field_X will then be a multi-value field with 9 values

How to split single line field value into multiple lines using regex?

field extraction

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...