Solved: How to split the value into title and value?

mcohen13 · ‎07-05-2018

I have a field that I extract to information from Whois
this field every value is write so that the title of the value is before ":" char and the title value is after ":" char
for example:
Updated Date: 2018-05-18T07:59:22Z
Creation Date: 2018-05-13T07:59:22Z

What I want to do is to split this value in the field to a title field to hold the left side of the first ":" and the value of the title in the right side of the ":" char
I need this to apply only to the first ":" char because some value get have more than one ":" char as you can see above

harishalipaka · ‎07-05-2018

hi @mcohen

|makeresults |eval custid="Updated Date: 2018-05-18T07:59:22Z" | rex field=custid "(?<subField1>[^:]+):(?<subField2>.+)"

Thanks
Harish

View solution in original post

kamlesh_vaghela · ‎07-05-2018

Hi @mcohen13,

Can you please try the following search? I have used rex command for extracting first and second value. See column A & B for first and second value respectively.

| makeresults | eval data="Updated Date: 2018-05-18T07:59:22Z,Creation Date: 2018-05-13T07:59:22Z", data=split(data,",") | mvexpand data | rex field=data "(?<A>.*):\s(?<B>.*)" | table data A B

Thanks

harishalipaka · ‎07-05-2018

hi @mcohen

|makeresults |eval custid="Updated Date: 2018-05-18T07:59:22Z" | rex field=custid "(?<subField1>[^:]+):(?<subField2>.+)"

Thanks
Harish

How to split the value into title and value?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to split the value into title and value?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!