Solved: Re: Splitting Data in a single Cell

MR1992 · ‎03-15-2023

I have the following data in a Cell that reads

1.01.01 Example App AL11111

Is there a way I can split the data into 3 separate columns, there are no delimiters, I thought using space but I have entries that do have spaces in the middle section.

e.g.

1.1.1.10

Example App

AL11111

One thing to note, the initial numbers will always be 8 characters long and the AL***** will always be 7 characters

Thanks

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

View solution in original post

MR1992 · ‎03-15-2023

This worked perfectly, thank you

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

How to split data in a single cell?

field extraction

fields

stats

table

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?