Following could be the option your can use:(assuming delimiter is dot "." between field values)
REX command
your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"
Split command
your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp
We have similar scenario but we have many domains and we want to split it accordingly . Any advice would be great help
test_corp1_osb_tid
-> product: osb
-> environment: tid
-> region: test
-> segment: corp
proc_osb_tid
-> product: osb
-> environment: tid
-> region: us
-> segment: proc
cvs_bpel_tid
-> product: bpel
-> environment: tid
-> region: us
-> segment: cvs
Do you have a "region" in your string in the examples 2 & 3?
Did you get an answer to this?
Here's one way to do it at search time:
... | rex field=FieldA "(?<FieldB>[^\.]*)\.(?<FieldC>[^\.]*)\.(?<FieldD>[\S]*)"
I know, 5 years later but I need this to separate multiple fields delim by :
This working swimmingly for what I needed
Following could be the option your can use:(assuming delimiter is dot "." between field values)
REX command
your base search | rex field=FieldA "(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"
Split command
your base search | eval temp=split(FieldA,".") | eval FieldB=mvindex(temp,0)| eval FieldC=mvindex(temp,1)| eval FieldD=mvindex(temp,2) | fields - temp
Hello its so usefull. Thanks for the query . I have a question for this subject. I have a FieldA and this fileds like a FieldA="a\b\c\n\....\z" . its a long field. I want it to automatically split the field and give each value a name. so I actually want to see a manual version of field transforms. If you have an idea and would like to help, I would be glad.
In line to the same above scenario, what if the values in the fields are not even? like FieldA has the following values,
product.country
product
product.country.price
product.price
product.country.price
in the above scenario, i tried split, but it is not working (but works). how to quantify for missing values/null values? i couldn't quantify for null values in the fields.
Try this:
your query |rex "FieldA\=(?<FieldB>.*)\.(?<FieldC>.*)\.(?<FieldD>.*)"|table FieldA FieldB FieldC FieldD
Lp