Solved: Re: How to split values within a field that are no...

pstamati · ‎06-26-2018

Hello everyone, I have this field with values that are retrieved withing "" but not separated by any character, and I was wondering how to represent those into different lines using the Split function, but I'm not able to split these are I'm not able to identify what character to use in the split function.
See an example of the field value:

"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666"

I tried using |eval Values=split(Value,"") but didn't work.

See results:

"
R
T
S
8
5
1
"
"
S
A
S
P
R
O
D

Any idea ?
Thanks in advance for any help you can provide.

kamlesh_vaghela · ‎06-26-2018

HI @pstamati,

You can use rex command. Can you please try the following search?

| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10  "\"(?<Values>.*?)\""

View solution in original post

FrankVl · ‎06-27-2018

Alternative without regex would be to replace the "" by a single character using the replace() function. Then split by that character.

For example replace double quotes by semi-colon (and trim of the quotes at start and end) and then split by semi-colon:

| makeresults 
| eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\""
| eval test = replace(_raw,"\"\"",";")
| eval test = replace(test,"\"","")
| eval test = split(test,";")

jkat54 · ‎06-26-2018

Let’s say the field name is abc

| makemv abc delims=‘“\”’
| mvexpand abc
| rex mode=sed “s/“|\//g”

pstamati · ‎06-26-2018

| rex mode=sed “s/“|\//g” this part give an error, that I cannot solve. Any idea?
Error in 'SearchParser': Missing a search command before '\'.

jkat54 · ‎06-26-2018

Oh it’s because I didn’t surround the sed expression with single quotes.

Sukisen1981 · ‎06-26-2018

you have 4 single quotes or 2 double quotes. what happens if you try this enclosing them like this |eval Values=split(Value,"""")

Sukisen1981 · ‎06-26-2018

another way is to use regex,that would surely work out

kamlesh_vaghela · ‎06-26-2018

HI @pstamati,

You can use rex command. Can you please try the following search?

| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10  "\"(?<Values>.*?)\""

pstamati · ‎06-26-2018

It worked. I got confused with the |makeresults, command but once I removed that and the first eval, it worked pretty good. Many thanks!!

pstamati · ‎06-26-2018

Just have in mind \"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\" is just the value of the filed I want to split into multiple values. the same field will have different values.

To explain this better, the field contains multiple "Usernames". Each line will have different Usernames all together in the same field value. I want to splint the field having 1 line per Username, so instead of having

"RTS851""SASPROD""SYS""JYCX""DEVUSER"

I get something like
"RTS851"
"SASPROD"
"SYS"
"JYCX"
"DEVUSER"

Is it clearer?

pstamati · ‎06-26-2018

These are 4 different records, where the value of the field Output contains a list of usernames as follows:

"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666"
"SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS"
"SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS""ESTADISTICA"
"LBS$ACISTERN""SYS""ADMINDBA""LBS$AORELLAN""LBS$ROLGONZA""LBS$PRANA""SYSTEM"

What I want, is to be able to have the value of each field "Output" like it follows:
RTS851
SASPROD
SYS
JYCX
DEVUSER
SCFL
SYSTEM
CZ
VATUSER
CYBERDBUSER
ILOG666

How to split values within a field that are not separated by any characters?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!