How to display comma separated in two column in Sp...

rpachamuthu · ‎09-28-2022

case_S56_search_Get_T01_search,{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

I want to display above string comma separated in two column in splunk under events or statistice or visualization

I have thousands of string similar like like with different names of first string (case_S56_search_Get_T01_search)

index=**** source=*ResponseAnalyzer* | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

Please help me

yuanliu · ‎09-28-2022

If the first part doesn't contain comma, you can simply do

index=**** source=*ResponseAnalyzer*
| rex field=ExistingFieldMaybe_raw "^(?<My1stCaptureFieldName>[^,]+)[,\s]+(?<My2ndCaptureFieldName>[^,]+)"

This will give you something like

My1stCaptureFieldName	My2ndCaptureFieldName
case_S56_search_Get_T01_search	{"success":false "message":"Note not found: 52229548" "messageCode":"" "localizedMessage":"Note not found: ***" "responseObject":null "warning":null}

Is this what you are asking?

Also curious: are you sure that the second part is not a conformant JSON object, i.e., there is no "," between fields? (No effect on rex.)

How to display comma separated in two column in Splunk under events or statistics or visualization?

other

regex

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!