How do I extract a comma separated field during se...

andyk · ‎02-14-2013

I have event data in Splunk that look like this:

2013-02-14 11:32:46.4314 app=ws3 sev=INFO mid=1325748 , Fooo, Barr, , 7 rue de fuubarr, , 44540, xx zzz la yyyyy, , FR, ENG, , 1031, EUR,,,

I need to do an Ad Hoc report that count the events grouped by country. The country information is in the filed that contains "FR" in this example event.

rsantkumar · ‎05-20-2020

hi @jeff @andyk : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

jeff · ‎02-14-2013

Assuming all of your data has the same format:

{ search criteria } 
| rex field=_raw "^([^,]+,){9} +(?<country>[^,]+)"

rsantkumar · ‎05-20-2020

hi @jeff @andyk @Rob : I have 3 fields(Key, Version, Date) seperated by comma and records(can be many) seperated by ;(semicolon).

Example: pgn-aemrules,1.1,2020-04-02;pgn-csharp,8.4 (build 15306),2020-02-21;pgn-csharp,8.5 (build 15942),2020-03-16;

I am trying to extract the 3 fields and display as a table in splunk. Please help.

andyk · ‎02-15-2013

Works perfect! Thanks!

Rob · ‎02-14-2013

Nicely done!

How do I extract a comma separated field during search?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How do I extract a comma separated field during search?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud