Solved: Re: Splitting Data in a single Cell

MR1992 · ‎03-15-2023

I have the following data in a Cell that reads

1.01.01 Example App AL11111

Is there a way I can split the data into 3 separate columns, there are no delimiters, I thought using space but I have entries that do have spaces in the middle section.

e.g.

1.1.1.10

Example App

AL11111

One thing to note, the initial numbers will always be 8 characters long and the AL***** will always be 7 characters

Thanks

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

View solution in original post

MR1992 · ‎03-15-2023

This worked perfectly, thank you

ITWhisperer · ‎03-15-2023

Your initial example only has 7 characters in the first part, so this would work

| rex "(?<field1>[^\s]+)\s(?<field2>.*)\s(?<field3>[^\s]*)"

If you want to be more strict, try this

| rex "(?<field1>[^\s]{8})\s(?<field2>.*)\s(?<field3>[^\s]{7})"

How to split data in a single cell?

field extraction

fields

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation