Solved: How to split the value into title and value?

mcohen13 · ‎07-05-2018

I have a field that I extract to information from Whois
this field every value is write so that the title of the value is before ":" char and the title value is after ":" char
for example:
Updated Date: 2018-05-18T07:59:22Z
Creation Date: 2018-05-13T07:59:22Z

What I want to do is to split this value in the field to a title field to hold the left side of the first ":" and the value of the title in the right side of the ":" char
I need this to apply only to the first ":" char because some value get have more than one ":" char as you can see above

harishalipaka · ‎07-05-2018

hi @mcohen

|makeresults |eval custid="Updated Date: 2018-05-18T07:59:22Z" | rex field=custid "(?<subField1>[^:]+):(?<subField2>.+)"

Thanks
Harish

View solution in original post

kamlesh_vaghela · ‎07-05-2018

Hi @mcohen13,

Can you please try the following search? I have used rex command for extracting first and second value. See column A & B for first and second value respectively.

| makeresults | eval data="Updated Date: 2018-05-18T07:59:22Z,Creation Date: 2018-05-13T07:59:22Z", data=split(data,",") | mvexpand data | rex field=data "(?<A>.*):\s(?<B>.*)" | table data A B

Thanks

harishalipaka · ‎07-05-2018

hi @mcohen

|makeresults |eval custid="Updated Date: 2018-05-18T07:59:22Z" | rex field=custid "(?<subField1>[^:]+):(?<subField2>.+)"

Thanks
Harish

How to split the value into title and value?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services