Solved: How to split by delimiter?

ranjithan · ‎02-23-2023

Hi Splunkers,

Reaching out for help

This is a sample _raw event:

12.23.454, abcd, 12.34.45,abc@gmail.com,"[EXTERNAL] 300,000+ software product demos",SEND,OK

i want to split this by using the split command , using comma as a delimiter and assign to different fields.

However, "EXTERNAL] 300,000+ software product demos" is a single field and i dont want it to be split into multiple fields

In few other events, comma is not present . For instance:

12.23.454, abcd, 12.34.45,abc@gmail.com, "[EXTERNAL] 300000+ software product demos" ,SEND,OK

How do i ensure that these values are assigned to the field in the events.

"EXTERNAL] 300,000+ software product demos"

"[EXTERNAL] 300000+ software product demos"

Thanks for your help

ITWhisperer · ‎02-23-2023

You could try something like this

| rex max_match=0 "(?<field>([^\",]+|\"[^\"]+\")),?"

ITWhisperer · ‎02-23-2023

You could try something like this

| rex max_match=0 "(?<field>([^\",]+|\"[^\"]+\")),?"

ranjithan · ‎02-23-2023

Thank You , this helps!

How to split by delimiter?