Splunk Search

Extract fields/subfields into table pipe and ":" delimited and name columns in fly


My search string "[.Id.IdCreateService] - Promotion Created, Promotion Settings For PromoCode=121509PromoId=3550966 : 17429150|Gillette|111082|9999999|Save $5.00 on Gillette|Save $5.00 on ONE Gillette Fusion ProShield Razor|2016-04-29T07:00:00Z|2016-05-02T07:00:00Z|2016-07-02T07:00:00Z||811000474001215093500110100|JM|[047400656048, 047400656055]|[]||RetailerBanners : [Banner1]"

Fields are pipe delimited but the 3rd column as highlighted in Bold Italic starts after ":" and would need to name them as column 1,2..as below. Appreciate any suggestions.

Want to extract fields into a table like

PromoCode PromoId Column 1 Column 2 Column 3 Column 4 Column 5 Column 6 Column 7 Column 8 Column 9 Column 10
121509 3550966 17429150 Gillette 111082 9999999 Save $5.00 on Gillette Save $5.00 on ONE Gillette Fusion ProShield 2016-04-29T07:00:00Z 2016-05-02T07:00:00Z 2016-07-02T07:00:00Z

Tags (1)
0 Karma


Please see the answer for your other question here. I think this ended up being a duplicate, or near enough. If that is indeed the case, let me know and I'll delete it as a dupe.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...