How do I extract a comma separated field during se...

andyk · ‎02-14-2013

I have event data in Splunk that look like this:

2013-02-14 11:32:46.4314 app=ws3 sev=INFO mid=1325748 , Fooo, Barr, , 7 rue de fuubarr, , 44540, xx zzz la yyyyy, , FR, ENG, , 1031, EUR,,,

I need to do an Ad Hoc report that count the events grouped by country. The country information is in the filed that contains "FR" in this example event.

rsantkumar · ‎05-20-2020

hi @jeff @andyk : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

jeff · ‎02-14-2013

Assuming all of your data has the same format:

{ search criteria } 
| rex field=_raw "^([^,]+,){9} +(?<country>[^,]+)"

rsantkumar · ‎05-20-2020

hi @jeff @andyk @Rob : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

andyk · ‎02-15-2013

Works perfect! Thanks!

Rob · ‎02-14-2013

Nicely done!

How do I extract a comma separated field during search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation