Solved: How to split a field into two different fields usi...

pavanae · ‎05-12-2023

I have a field as follows in the logs

user="userAbc1 (host1234)"

As you can see both the username and hostname fields are together in the user field. Now how do I apply regex and separate both the fields into 2 corresponding fields as follows

user=userAbc1

host=host1234

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

View solution in original post

richgalloway · ‎05-12-2023

Try this rex command.

| rex field=foo "(?<user>\S+)\s\((?<host>=[^\(]+)"

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

gcusello · ‎05-12-2023

Hi @pavanae ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

How to split a field into two different fields using eval in Splunk?

eval

field extraction

fields

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

How to split a field into two different fields using eval in Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.