Solved: How to split data in a single cell?

MR1992 · ‎03-15-2023

I have the following data in a Cell that reads

1.01.01 Example App AL11111

Is there a way I can split the data into 3 separate columns, there are no delimiters, I thought using space but I have entries that do have spaces in the middle section.

e.g.

1.1.1.10

Example App

AL11111

One thing to note, the initial numbers will always be 8 characters long and the AL***** will always be 7 characters

Thanks

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

View solution in original post

MR1992 · ‎03-15-2023

This worked perfectly, thank you

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

How to split data in a single cell?

field extraction

fields

stats

table

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...