Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i split the multiple events into fields and one field must be dynamic.

Annna
Explorer
‎10-08-2020 04:23 AM

my event is below :

6|1|1|12|1907|1|1|1219079|1|1|126G|19079|1|1|12NB|190|1|1|126G774_100_NB|1907|1|1|126G|19079

sometimes A field will change the number as 5, 7, 8 like 5rows and 7 rows will come so that A is dynamic.

ABCDE
611650_3M1921   
 111758749   
 115522   
 115533   
 115555   
 115566   
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 12:05 PM

Change the first rex to this

| rex "^(?:([^\|]+\|){4})(?<A>[^\|]+)(?<NotA>.*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 05:09 AM

I suspect the event you gave as an example is missing a pipe (and possibly data) between D and E in the second group and should have been?

6|1|1|12|1907|1|1|126G|19079|1|1|126G|19079|1|1|12NB|190|1|1|126G774_100_NB|1907|1|1|126G|19079

Assuming the missing pipe to be the case

| rex "(?<A>[^\|]+)(?<NotA>.*)"
| rex max_match=0 field=NotA "(?<BCDE>(\|[^\|]+){4})"
| mvexpand BCDE
| rex field=BCDE "\|(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)\|(?<E>.+)"

 

0 Karma
Reply
Solved! Jump to solution

Annna
Explorer
‎10-08-2020 06:21 AM

thank you so much for quick response. 

0 Karma
Reply
Solved! Jump to solution

Annna
Explorer
‎10-08-2020 06:20 AM

this is my sample events 

|6|1|1|126G7|1907|1|1|126G7|19079|1|1|126G77|190795|1|1|126G7|190795|1|1|126G|1907|1|1|126G|1907

|7|1|1|126G7|19076|1|1|126G7|19079|1|1|126G77|190795|1|1|126G7|190795|1|1|126G|1907|1|1|126G|19078|1|1|126G7|19078|

i want output be like 

611650_3M1921   
 111758749   
 115522   
 115533   
 115555   
 115566   
711650_3M1921   
 111758749   
 115522   
 115533   
 115555   
 115566   
 115566   
3115566   
 115566   
 115566   
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 06:32 AM

Is the only difference the fact that A is repeated on the other rows? If so

| rex "(?<A>[^\|]+)(?<NotA>.*)"
| rex max_match=0 field=NotA "(?<BCDE>(\|[^\|]+){4})"
| mvexpand BCDE
| rex field=BCDE "\|(?<B>[^\|]+)\|(?<C>[^\|]+)\|(?<D>[^\|]+)\|(?<E>.+)"
| streamstats count as row by A
| eval A=if(row=1,A,null())
| fields - row
0 Karma
Reply
Solved! Jump to solution

Annna
Explorer
‎10-08-2020 11:55 AM

Thank you so much. It is very helpful. 

If the event will be as below means

Abc|cbde1|elog|700|6|1|1|126G7|1907|1|1|126G7|19079|1|1|126G77|190795|1|1|126G7|190795|1|1|126G|1907|1|1|126G|1907

How can I slipt from |6 onwards. 

Once again, thanks quick response. 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-08-2020 12:05 PM

Change the first rex to this

| rex "^(?:([^\|]+\|){4})(?<A>[^\|]+)(?<NotA>.*)"
0 Karma
Reply
Solved! Jump to solution

Annna
Explorer
‎10-09-2020 12:11 AM

Its working Awesome. Thank you so much 😊

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...