Splunk Search

How to extract spaced delimited field with values containing spaces?

jesses
New Member

I have a space delimited field that may contain quoted values that also include spaces. For example:

Value1 Value2 Value3 Value4 "Value with a space 5" Value6

I think I need to use makemv, however this just nets me a exactly what you would expect:

| makeresults
| eval temp="Value1 Value2 Value3 Value4 \"Value with a space 5\" Value6"
| makemv temp
| fields - _time
Value1
Value2
Value3
Value4
"Value
with
a
space
5"
Value6

This leads me to think that I need a regex to parse it correctly, however I am no regex master. Anybody have any ideas?
Thanks!

0 Karma
1 Solution

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval temp="Value1 Value2 Value3 Value4 \"Value with a space 5\" Value6" 
| rex field=temp max_match=0 "(?P<temp>\"[^\"]*\"|[\S]+)+" 
| mvexpand temp 
| eval temp = replace(temp,"\"","") 
| mvcombine temp 
| table temp

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval temp="Value1 Value2 Value3 Value4 \"Value with a space 5\" Value6" 
| rex field=temp max_match=0 "(?P<temp>\"[^\"]*\"|[\S]+)+" 
| mvexpand temp 
| eval temp = replace(temp,"\"","") 
| mvcombine temp 
| table temp
0 Karma

jesses
New Member

I've implemented this into my query and it is working perfectly! Thanks!

0 Karma

tiagofbmm
Influencer

Can you explain what you're looking to get out of that ?

0 Karma

jesses
New Member

I knew I forgot something.
The field temp should be a mv field containing the follwing:

Value1
Value2
Value3
Value4
Value with a space 5
Value6
0 Karma
Get Updates on the Splunk Community!

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...