Solved: How to split data into multiple columns?

ayush1906 · ‎03-11-2019

I am having data in a single field in this format:
1. xyz 2. dsh bh 3. sdh dsd() 4. trrt .... so on

I want to split this data into multiple column like this

no.  |    name
1           xyz
2          dsh bh
3          sdh dsd
4          trrt

I have tried using delimiter but not getting the expected result.

harsmarvania57 · ‎03-11-2019

Hi @ayush1906,

Based on sample data you can try below query

<yourBaseSearch>
| rex field=_raw "(?<a>\d+)\.\s(?<b>[^\d]*)(?:$|\s)" max_match=0
| eval c=mvzip(a,b)
| mvexpand c
| eval no=mvindex(split(c,","),0), name=mvindex(split(c,","),1)
| rex field=name mode=sed "s/\(\)//g"
| table no, name

Here is run anywhere search based on sample data

| makeresults
| eval _raw="1. xyz 2. dsh bh 3. sdh dsd() 4. trrt"
| rex field=_raw "(?<a>\d+)\.\s(?<b>[^\d]*)(?:$|\s)" max_match=0
| eval c=mvzip(a,b)
| mvexpand c
| eval no=mvindex(split(c,","),0), name=mvindex(split(c,","),1)
| rex field=name mode=sed "s/\(\)//g"
| table no, name

View solution in original post

vnravikumar · ‎03-11-2019

Hi @ayush1906

Try like

| makeresults 
| eval msg="1. xyz 2. dsh bh 3. sdh dsd() 4. trrt" 
| rex field=msg max_match=0 "(?P<no>\d+).\s(?P<name>[a-z\s]*)"

harsmarvania57 · ‎03-11-2019

Hi @ayush1906,

Based on sample data you can try below query

<yourBaseSearch>
| rex field=_raw "(?<a>\d+)\.\s(?<b>[^\d]*)(?:$|\s)" max_match=0
| eval c=mvzip(a,b)
| mvexpand c
| eval no=mvindex(split(c,","),0), name=mvindex(split(c,","),1)
| rex field=name mode=sed "s/\(\)//g"
| table no, name

Here is run anywhere search based on sample data

| makeresults
| eval _raw="1. xyz 2. dsh bh 3. sdh dsd() 4. trrt"
| rex field=_raw "(?<a>\d+)\.\s(?<b>[^\d]*)(?:$|\s)" max_match=0
| eval c=mvzip(a,b)
| mvexpand c
| eval no=mvindex(split(c,","),0), name=mvindex(split(c,","),1)
| rex field=name mode=sed "s/\(\)//g"
| table no, name

How to split data into multiple columns?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023