Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split up a string into multiple fields?

HeinzWaescher
Motivator
‎05-16-2014 05:58 AM

Hi,

let's say there is a field like this:

FieldA = product.country.price

Is it possible to extract this value into 3 different fields?

FieldB=product
FieldC=country
FieldD=price

Thanks in advance

Heinz

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-16-2014 06:33 AM

Following could be the option your can use:(assuming delimiter is dot "." between field values)

REX command 

 your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"

Split command 

your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp

View solution in original post

Reply
Solved! Jump to solution

pavan_bhumanapa
New Member
‎08-01-2014 03:00 PM

We have similar scenario but we have many domains and we want to split it accordingly . Any advice would be great help

test_corp1_osb_tid
-> product: osb
-> environment: tid
-> region: test
-> segment: corp

proc_osb_tid
-> product: osb
-> environment: tid
-> region: us
-> segment: proc

cvs_bpel_tid
-> product: bpel
-> environment: tid
-> region: us
-> segment: cvs

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎08-04-2014 12:41 AM

Do you have a "region" in your string in the examples 2 & 3?

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Motivator
‎11-08-2017 08:07 AM

Did you get an answer to this?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2014 06:34 AM

Here's one way to do it at search time:

... | rex field=FieldA "(?<FieldB>[^\.]*)\.(?<FieldC>[^\.]*)\.(?<FieldD>[\S]*)"
---
If this reply helps you, an upvote would be appreciated.
Reply
Solved! Jump to solution

aebrittingham
Engager
‎05-09-2019 02:08 PM

I know, 5 years later but I need this to separate multiple fields delim by :
This working swimmingly for what I needed

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-16-2014 06:33 AM

Following could be the option your can use:(assuming delimiter is dot "." between field values)

REX command 

 your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"

Split command 

your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp
Reply
Solved! Jump to solution

sundarrajan
Path Finder
‎03-31-2017 05:41 AM

In line to the same above scenario, what if the values in the fields are not even? like FieldA has the following values,
product.country
product
product.country.price
product.price
product.country.price
in the above scenario, i tried split, but it is not working (but works). how to quantify for missing values/null values? i couldn't quantify for null values in the fields.

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎05-16-2014 06:30 AM

Try this:

your query |rex "FieldA\=(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"|table FieldA FieldB FieldC FieldD

Lp

0 Karma
Reply
Get Updates on the Splunk Community!

tag as datamodel attribute

I'm confused a bit. I use CIM datamodels.The "tag" field is both a filter for choosing events applicable to a ...

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...

Can you customize Additional Fields in Notable Events?

Is there a way to customize which additional fields to show for which Notable event /Co-relation search ...