Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Replace every 2nd pattern with carriage.

jiaqya
Builder
‎05-06-2019 11:46 PM

i have a field with dates in single line ( could be many dates )

ex: 2019-04-11 23:15:58.547 2019-05-02 10:11:22.833 2019-05-03 10:21:27.0

need help to replace every 2nd space with carriage, so each date shows on a separate line when exported. right now they show on single line when exported.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 12:55 AM

Assuming, you need to do at Search Time, please find an example

|makeresults 
| eval raw_data="2019-04-11 23:15:58.547 2019-05-02 10:11:22.833 2019-05-03 10:21:27.0"
| rex field=raw_data mode=sed "s/([\d\-]+)\s([\d\:\.]+)/\1 \2;/g"
|makemv delim=";" raw_data
|mvexpand raw_data

you may need to improve the regex based on your data

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-07-2019 12:55 AM

Assuming, you need to do at Search Time, please find an example

|makeresults 
| eval raw_data="2019-04-11 23:15:58.547 2019-05-02 10:11:22.833 2019-05-03 10:21:27.0"
| rex field=raw_data mode=sed "s/([\d\-]+)\s([\d\:\.]+)/\1 \2;/g"
|makemv delim=";" raw_data
|mvexpand raw_data

you may need to improve the regex based on your data

0 Karma
Reply
Solved! Jump to solution

jiaqya
Builder
‎05-07-2019 02:12 AM

Koshyk , thank you, using this code, i am able to see the data in a new line within the column. ( leaving the last line of code , ie |mvexpand raw_data as i want all data to be in single row )

But when i export, i dont see new line in the row, but all in same line with ; as delimiter.

can the same format be there when we export the file ?

0 Karma
Reply
Solved! Jump to solution

jiaqya
Builder
‎05-07-2019 03:04 AM

Never mind, got it to work by doing below code.

|rex field=raw_data mode=sed "s/([\d-]+)\s([\d:.]+)/\1 \2;/g"

|makemv delim=";" raw_data
|rex field=raw_data mode=sed "s/;/\n/g"

First 2 lines are from what you gave, then i changed the ; delimiter back to new line on the 3rd line.
this ensures, i can see the records in new line on the report page and also shows as new lines when i export them to xls/csv

thanks

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-07-2019 03:30 AM

great to know it worked. cheers

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...