Re: How to split a string into multiple fields for...

pavan_bhumanapa · ‎08-01-2014

We have a scenario where we have many domains and we want to split it accordingly . Any advice would be great help .

test_corp1_osb_tid
-> product: osb
-> environment: tid
-> region: test
-> segment: corp

proc_osb_tid
-> product: osb
-> environment: tid
-> region: us
-> segment: proc

cvs_bpel_tid
-> product: bpel
-> environment: tid
-> region: us
-> segment: cvs

martin_mueller · ‎08-01-2014

Are you looking for a rex call? Your question isn't really clear on that.

... | rex field=domain "^(?:(?<region>[^_]+)_)?(?<segment>[^_]+)_(?<product>[^_]+)_(?<environment>[^_]+)$" | eval region = coalesce(region, "us") | ...

pavan_bhumanapa · ‎08-26-2014

I am able to extract these fields using lookup.

martin_mueller · ‎08-04-2014

Regex are the way to go for extracting parts of a string.

Lookups add fields to an event based on some matching fields, similar to an SQL join.

pavan_bhumanapa · ‎08-04-2014

Do we have any other solution apart from regex? like lookups. I need to pull the values from log and split the string.

EX:

<Jul 25, 2014 9:51:25 AM MYT> <Error> <WliSbCustomResources> <aussoaditapp12.us.dell.com> <apj_corp1_osb_dit_ms2>

How to split a string into multiple fields for different domains

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation