Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fields extraction in simple plain delimited log

verbal_666
Builder
‎09-08-2020 05:53 AM

Hi there.

A simple question.

I know, i can use "rex", as usual, to do the job, or other methods (fields extraction, definition etc... in WebIf in SearhHead), or do it directly in Indexers. props/transforms.. but, i'm curious to know if this can be made , easily, with a simple SPL command (like "extract" or "multikv", for example)...

Log has no header, so looks like... only key-value, no key-name and not an header,

 

timestamp;field1value;field2value;field3value;fieldNvalue

 

Can a SPL command (not rex 😉 ) extract those fields, also with temporary names (to rename then), in a simple way? Thanks.

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 05:59 AM

You could split the field using ";" as the delimiter, then eval your renamed fields using mvindex to pull out each one from the mv field

Reply

verbal_666
Builder
‎09-08-2020 06:38 AM

This is really what a need to do 😏

mysearch
| eval fields=split(_raw,";") , field1=mvindex(fields,1) , field2=mvindex(fields,2) , field3=mvindex(fields,3) , field4=mvindex(fields,4)
| table _raw fields field1 field2 field3 field4

 

Response,

"timestamp;field1value;field2value;field3value;fieldNvalue" "THE_MV_SPLITTED_FIELDS" FIELD1 FIELD2 FIELD3 FIELD4

... now i can work with all named extracted fields...

 

... went perfect 😁 it was under my eyes, as usual, and i didn't see it 😎

 

Thanks..... 👍

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 05:56 AM

how to identify which is field and which is value if there is no delimiter.

timestamp;field1value;field2value;field3value;fieldNvalue
————————————
If this helps, give a like below.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...