Splunk Search

How to display comma separated in two column in Splunk under events or statistics or visualization?

rpachamuthu
Engager

case_S56_search_Get_T01_search,{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

 

I want to display above string  comma separated in two column in splunk under events or statistice or visualization

I have thousands of string similar like like with different names of first string (case_S56_search_Get_T01_search)

 

index=**** source=*ResponseAnalyzer* | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

Please help me

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the first part doesn't contain comma, you can simply do

 

index=**** source=*ResponseAnalyzer*
| rex field=ExistingFieldMaybe_raw "^(?<My1stCaptureFieldName>[^,]+)[,\s]+(?<My2ndCaptureFieldName>[^,]+)"

 

This will give you something like

My1stCaptureFieldNameMy2ndCaptureFieldName
case_S56_search_Get_T01_search{"success":false "message":"Note not found: 52229548" "messageCode":"**" "localizedMessage":"Note not found: *****" "responseObject":null "warning":null}

Is this what you are asking?

Also curious: are you sure that the second part is not a conformant JSON object, i.e., there is no "," between fields? (No effect on rex.)

 

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...