Re: How do I extract a comma separated field durin...

andyk · ‎02-14-2013

I have event data in Splunk that look like this:

2013-02-14 11:32:46.4314 app=ws3 sev=INFO mid=1325748 , Fooo, Barr, , 7 rue de fuubarr, , 44540, xx zzz la yyyyy, , FR, ENG, , 1031, EUR,,,

I need to do an Ad Hoc report that count the events grouped by country. The country information is in the filed that contains "FR" in this example event.

rsantkumar · ‎05-20-2020

hi @jeff @andyk : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

jeff · ‎02-14-2013

Assuming all of your data has the same format:

{ search criteria } 
| rex field=_raw "^([^,]+,){9} +(?<country>[^,]+)"

rsantkumar · ‎05-20-2020

hi @jeff @andyk @Rob : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

andyk · ‎02-15-2013

Works perfect! Thanks!

Rob · ‎02-14-2013

Nicely done!

How do I extract a comma separated field during search?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How do I extract a comma separated field during search?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!