Re: How to display comma separated in two column i...

rpachamuthu · ‎09-28-2022

case_S56_search_Get_T01_search,{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

I want to display above string comma separated in two column in splunk under events or statistice or visualization

I have thousands of string similar like like with different names of first string (case_S56_search_Get_T01_search)

index=**** source=*ResponseAnalyzer* | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

Please help me

yuanliu · ‎09-28-2022

If the first part doesn't contain comma, you can simply do

index=**** source=*ResponseAnalyzer*
| rex field=ExistingFieldMaybe_raw "^(?<My1stCaptureFieldName>[^,]+)[,\s]+(?<My2ndCaptureFieldName>[^,]+)"

This will give you something like

My1stCaptureFieldName	My2ndCaptureFieldName
case_S56_search_Get_T01_search	{"success":false "message":"Note not found: 52229548" "messageCode":"" "localizedMessage":"Note not found: ***" "responseObject":null "warning":null}

Is this what you are asking?

Also curious: are you sure that the second part is not a conformant JSON object, i.e., there is no "," between fields? (No effect on rex.)

How to display comma separated in two column in Splunk under events or statistics or visualization?

regex

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation