Splunk Search

How to split values within a field that are not separated by any characters?

Path Finder

Hello everyone, I have this field with values that are retrieved withing "" but not separated by any character, and I was wondering how to represent those into different lines using the Split function, but I'm not able to split these are I'm not able to identify what character to use in the split function.
See an example of the field value:

"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666"

I tried using |eval Values=split(Value,"") but didn't work.

See results:

"
R
T
S
8
5
1
"
"
S
A
S
P
R
O
D

Any idea ?
Thanks in advance for any help you can provide.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

HI @pstamati,

You can use rex command. Can you please try the following search?

| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10  "\"(?<Values>.*?)\""

View solution in original post

0 Karma

Ultra Champion

Alternative without regex would be to replace the "" by a single character using the replace() function. Then split by that character.

For example replace double quotes by semi-colon (and trim of the quotes at start and end) and then split by semi-colon:

| makeresults 
| eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\""
| eval test = replace(_raw,"\"\"",";")
| eval test = replace(test,"\"","")
| eval test = split(test,";")
0 Karma

SplunkTrust
SplunkTrust

Let’s say the field name is abc

| makemv abc delims=‘“\”’
| mvexpand abc
| rex mode=sed “s/“|\//g”

0 Karma

Path Finder

| rex mode=sed “s/“|\//g” this part give an error, that I cannot solve. Any idea?
Error in 'SearchParser': Missing a search command before '\'.

0 Karma

SplunkTrust
SplunkTrust

Oh it’s because I didn’t surround the sed expression with single quotes.

0 Karma

Champion

you have 4 single quotes or 2 double quotes. what happens if you try this enclosing them like this |eval Values=split(Value,"""")

0 Karma

Champion

another way is to use regex,that would surely work out

0 Karma

SplunkTrust
SplunkTrust

HI @pstamati,

You can use rex command. Can you please try the following search?

| makeresults | eval _raw="\"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\"" | rex field=_raw max_match=10  "\"(?<Values>.*?)\""

View solution in original post

0 Karma

Path Finder

It worked. I got confused with the |makeresults, command but once I removed that and the first eval, it worked pretty good. Many thanks!!

0 Karma

Path Finder

Just have in mind \"RTS851\"\"SASPROD\"\"SYS\"\"JYCX\"\"DEVUSER\"\"SCFL\"\"SYSTEM\"\"CZ\"\"VATUSER\"\"CYBERDBUSER\"\"ILOG666\" is just the value of the filed I want to split into multiple values. the same field will have different values.

To explain this better, the field contains multiple "Usernames". Each line will have different Usernames all together in the same field value. I want to splint the field having 1 line per Username, so instead of having

"RTS851""SASPROD""SYS""JYCX""DEVUSER"

I get something like
"RTS851"
"SASPROD"
"SYS"
"JYCX"
"DEVUSER"

Is it clearer?

0 Karma

Path Finder

These are 4 different records, where the value of the field Output contains a list of usernames as follows:

"RTS851""SASPROD""SYS""JYCX""DEVUSER""SCFL""SYSTEM""CZ""VATUSER""CYBERDBUSER""ILOG666"
"SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS"
"SYSTEM""LBS$MAUGAETE""LBS$AORELLAN""SYS""ESTADISTICA"
"LBS$ACISTERN""SYS""ADMINDBA""LBS$AORELLAN""LBS$ROLGONZA""LBS$PRANA""SYSTEM"

What I want, is to be able to have the value of each field "Output" like it follows:
RTS851
SASPROD
SYS
JYCX
DEVUSER
SCFL
SYSTEM
CZ
VATUSER
CYBERDBUSER
ILOG666

0 Karma