Splunk Search

How to display comma separated in two column in Splunk under events or statistics or visualization?

rpachamuthu
Engager

case_S56_search_Get_T01_search,{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

 

I want to display above string  comma separated in two column in splunk under events or statistice or visualization

I have thousands of string similar like like with different names of first string (case_S56_search_Get_T01_search)

 

index=**** source=*ResponseAnalyzer* | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

Please help me

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the first part doesn't contain comma, you can simply do

 

index=**** source=*ResponseAnalyzer*
| rex field=ExistingFieldMaybe_raw "^(?<My1stCaptureFieldName>[^,]+)[,\s]+(?<My2ndCaptureFieldName>[^,]+)"

 

This will give you something like

My1stCaptureFieldNameMy2ndCaptureFieldName
case_S56_search_Get_T01_search{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

Is this what you are asking?

Also curious: are you sure that the second part is not a conformant JSON object, i.e., there is no "," between fields? (No effect on rex.)

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...