Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I split _raw data into multiple table fields?

slord
Engager
‎08-22-2018 10:05 AM

I have the following data in _raw and I need to split the data at the semicolon into multiple fields in a table

LOG INPUT (_raw)

2018-08-22 10:45:19,834 ;Application 1;Status Known;SEARCH_STRING;APP_STATUS
2018-08-22 10:44:19,834 ;Application 2;Status Unknown;SEARCH_STRING;APP_STATUS
2018-08-22 10:43:19,834 ;Application 4;Status Offline;SEARCH_STRING;APP_STATUS
2018-08-22 10:42:19,834 ;Application 5;Status Known;SEARCH_STRING;APP_STATUS
2018-08-22 10:41:19,834 ;Application 3;Status Known;SEARCH_STRING;APP_STATUS
2018-08-22 10:40:19,834 ;Application 1;Status Offline;SEARCH_STRING;APP_STATUS

I want a table that looks like

Date                     | Application Name  | Status         | Search        | Ingore
2018-08-22 10:45:19,834  | Application 1     | Status Known   | SEARCH_STRING | APP_STATUS
2018-08-22 10:44:19,834  | Application 2     | Status Unknown | SEARCH_STRING | APP_STATUS
2018-08-22 10:43:19,834  | Application 4     | Status Offline | SEARCH_STRING | APP_STATUS
2018-08-22 10:42:19,834  | Application 5     | Status Known   | SEARCH_STRING | APP_STATUS
2018-08-22 10:42:19,834  | Application 3     | Status Known   | SEARCH_STRING | APP_STATUS
2018-08-22 10:41:19,834  | Application 1     | Status Offline | SEARCH_STRING | APP_STATUS
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2018 10:59 AM

Use the rex command.

index=foo | rex "(?<Date>[^;]+)\s;(?<Application>[^;]+);(?<Status>[^;]+);(?<Search>[^;]+);(?<Ignore>.*)" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

horsefez
Motivator
‎08-22-2018 11:23 AM

Hi @slord,

you should rather go for the field extractor tool in splunk to extract out the fields you want. You do have an option to choose "delimiter" ";" as an option there.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2018 10:59 AM

Use the rex command.

index=foo | rex "(?<Date>[^;]+)\s;(?<Application>[^;]+);(?<Status>[^;]+);(?<Search>[^;]+);(?<Ignore>.*)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

slord
Engager
‎08-23-2018 06:46 AM

You are awesome, that worked ... thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2018 11:45 AM

@slord, if your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...