Solved: Re: How split up a string into multiple fields

HeinzWaescher · ‎05-16-2014

Hi,

let's say there is a field like this:

FieldA = product.country.price

Is it possible to extract this value into 3 different fields?

FieldB=product
FieldC=country
FieldD=price

Thanks in advance

Heinz

somesoni2 · ‎05-16-2014

Following could be the option your can use:(assuming delimiter is dot "." between field values)

REX command

 your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"

Split command

your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp

View solution in original post

pavan_bhumanapa · ‎08-01-2014

We have similar scenario but we have many domains and we want to split it accordingly . Any advice would be great help

test_corp1_osb_tid
-> product: osb
-> environment: tid
-> region: test
-> segment: corp

proc_osb_tid
-> product: osb
-> environment: tid
-> region: us
-> segment: proc

cvs_bpel_tid
-> product: bpel
-> environment: tid
-> region: us
-> segment: cvs

HeinzWaescher · ‎08-04-2014

Do you have a "region" in your string in the examples 2 & 3?

robertlynch2020 · ‎11-08-2017

Did you get an answer to this?

richgalloway · ‎05-16-2014

Here's one way to do it at search time:

... | rex field=FieldA "(?<FieldB>[^\.]*)\.(?<FieldC>[^\.]*)\.(?<FieldD>[\S]*)"

---
If this reply helps you, Karma would be appreciated.

aebrittingham · ‎05-09-2019

I know, 5 years later but I need this to separate multiple fields delim by :
This working swimmingly for what I needed

somesoni2 · ‎05-16-2014

Following could be the option your can use:(assuming delimiter is dot "." between field values)

REX command

 your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"

Split command

your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp

Thats_my_usrnme · ‎11-10-2022

Hello its so usefull. Thanks for the query . I have a question for this subject. I have a FieldA and this fileds like a FieldA="a\b\c\n\....\z" . its a long field. I want it to automatically split the field and give each value a name. so I actually want to see a manual version of field transforms. If you have an idea and would like to help, I would be glad.

sundarrajan · ‎03-31-2017

In line to the same above scenario, what if the values in the fields are not even? like FieldA has the following values,
product.country
product
product.country.price
product.price
product.country.price
in the above scenario, i tried split, but it is not working (but works). how to quantify for missing values/null values? i couldn't quantify for null values in the fields.

lpolo · ‎05-16-2014

Try this:

your query |rex "FieldA\=(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"|table FieldA FieldB FieldC FieldD

Lp

How to split up a string into multiple fields?

fields

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!