How to display comma separated in two column in Sp...

rpachamuthu · ‎09-28-2022

case_S56_search_Get_T01_search,{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

I want to display above string comma separated in two column in splunk under events or statistice or visualization

I have thousands of string similar like like with different names of first string (case_S56_search_Get_T01_search)

index=**** source=*ResponseAnalyzer* | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

Please help me

yuanliu · ‎09-28-2022

If the first part doesn't contain comma, you can simply do

index=**** source=*ResponseAnalyzer*
| rex field=ExistingFieldMaybe_raw "^(?<My1stCaptureFieldName>[^,]+)[,\s]+(?<My2ndCaptureFieldName>[^,]+)"

This will give you something like

My1stCaptureFieldName	My2ndCaptureFieldName
case_S56_search_Get_T01_search	{"success":false "message":"Note not found: 52229548" "messageCode":"" "localizedMessage":"Note not found: ***" "responseObject":null "warning":null}

Is this what you are asking?

Also curious: are you sure that the second part is not a conformant JSON object, i.e., there is no "," between fields? (No effect on rex.)

How to display comma separated in two column in Splunk under events or statistics or visualization?

regex

table

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?