Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to split by delimiter?

ranjithan
Path Finder
‎02-23-2023 08:37 AM

Hi Splunkers,

Reaching out for help

This is a sample _raw event: 

12.23.454, abcd, 12.34.45,abc@gmail.com,"[EXTERNAL] 300,000+ software product demos",SEND,OK

i want to split  this by using the split command ,  using  comma as a delimiter  and assign to different fields.

However,  "EXTERNAL] 300,000+ software product demos"  is a single field   and i dont want it to be split into multiple fields

 In few  other events, comma is not present . For instance:

12.23.454, abcd, 12.34.45,abc@gmail.com,  "[EXTERNAL] 300000+ software product demos"  ,SEND,OK

 

How do i ensure that these values are assigned to the field in the events. 

"EXTERNAL] 300,000+ software product demos"

"[EXTERNAL] 300000+ software product demos"

 

Thanks for your help 

 

 

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-23-2023 09:11 AM

You could try something like this

| rex max_match=0 "(?<field>([^\",]+|\"[^\"]+\")),?"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-23-2023 09:11 AM

You could try something like this

| rex max_match=0 "(?<field>([^\",]+|\"[^\"]+\")),?"
Reply
Solved! Jump to solution

ranjithan
Path Finder
‎02-23-2023 09:19 AM

Thank You , this helps! 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...