Splunk Search

How to extract two fields separated by delimiter comma ","?

New Member

Here is my output from splunk

    2014.09.19 13:33:37.739,2014.09.19       13:33:37.726,13,dsd45sd4,gdm=DT30&kslsdj=LiveToday,/cpt/mtp/fgkt/,,gzip,NONE_FOUND,data,

I want




field please help

0 Karma

Splunk Employee
Splunk Employee

Another method is to use the props/transforms combination that uses the comma as a delimiter. Here is an example:


 REPORT-fields = commafields


 DELIMS = ","
 FIELDS = field1, field2, field3, field4, uri, field6, field7, field8, field9, date

Here is a link to more information:



If you don't feel comfortable or have direct access to the conf files you can do this also in the web UI

Simply put the regex into a transform settings > fields > transformations

Then you create a new extraction in settings > fields > field extractions, instead of inline you use tranformation and give the name of the transformation

This setup has the advantage that you can use the same regex/transformation in multiple extractions, therefore if the regex changes you only have to fix it once and not in every extraction.

you can do most of the changes in the web UI which is mostly good enough, but not all of it..

0 Karma


Is the value you want is
field2="data" ?

The extraction regex will depend quite a bit whether the position is stable in relation to the separators ","

possible would be something like


This is not tested it could be that a backslash is required before the comma or that the questionmark has to be repositioned
you can simply test it by using a search on the corresponding data using the command rex like

<search> | rex field=_raw "[^,]+,[^,]+,[^,]+,(?<field1>[^,]+),[^,]+,[^,]+,[^,]+,[^,]+,(?<field2>[^,]+),"

If the fields get extracted correctly you can configure them using the settings > fields > field extractions to extract them automatically on every search on this source or sourcetype or host

you can also use the Interactive field extractor of splunk I find it a good start but it sometimes produces weird expressions so I tend to rework the manually.

Here some documentation sources


0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...