How to split a string into multiple fields for dif...

pavan_bhumanapa · ‎08-01-2014

We have a scenario where we have many domains and we want to split it accordingly . Any advice would be great help .

test_corp1_osb_tid
-> product: osb
-> environment: tid
-> region: test
-> segment: corp

proc_osb_tid
-> product: osb
-> environment: tid
-> region: us
-> segment: proc

cvs_bpel_tid
-> product: bpel
-> environment: tid
-> region: us
-> segment: cvs

martin_mueller · ‎08-01-2014

Are you looking for a rex call? Your question isn't really clear on that.

... | rex field=domain "^(?:(?<region>[^_]+)_)?(?<segment>[^_]+)_(?<product>[^_]+)_(?<environment>[^_]+)$" | eval region = coalesce(region, "us") | ...

pavan_bhumanapa · ‎08-26-2014

I am able to extract these fields using lookup.

martin_mueller · ‎08-04-2014

Regex are the way to go for extracting parts of a string.

Lookups add fields to an event based on some matching fields, similar to an SQL join.

pavan_bhumanapa · ‎08-04-2014

Do we have any other solution apart from regex? like lookups. I need to pull the values from log and split the string.

EX:

<Jul 25, 2014 9:51:25 AM MYT> <Error> <WliSbCustomResources> <aussoaditapp12.us.dell.com> <apj_corp1_osb_dit_ms2>

How to split a string into multiple fields for different domains

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation