How to split multiple fields?

paras · ‎10-31-2022

I need to be able to split multiple fields that have a delimiter of "|#|". The field name will differ depending on the log. Is there a way to do a mass split using props.conf or transforms.conf. Is there a way to do this without having to write a eval statement for every single field that may come?

EX:

log:: time=XXXX,src_ip="123.123.123.123|#|234.234.234.234|#|",user="foo1|#|foo2|#|foo3"......

I want to split src_ip, and user.

yuanliu · ‎10-31-2022

Whereas you cannot do this in props.conf or transforms.conf, you don't necessarily have to write each split. That's why SPL includes iteration commands such as foreach.

| foreach src_ip, user
  [eval <<FIELD>> = split(<<FIELD>>, "|#|")]

richgalloway · ‎10-31-2022

Use the split function.

| makeresults | eval src_ip="123.123.123.123|#|234.234.234.234|#|",user="foo1|#|foo2|#|foo3"
| eval srcs=split(src_ip, "|#|"), users=split(user,"|#|")

You can do it at index time using INGEST_EVAL. In transforms.conf:

INGEST_EVAL srcs=split(src_ip, "|#|")
INGEST_EVAL users=split(user,"|#|")

---
If this reply helps you, Karma would be appreciated.

How to split multiple fields?

fields

regex

stats

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

How to split multiple fields?

fields

regex

stats

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition