Solved: Re: Split without delimiter

EberlinM · ‎08-20-2021

How can I split a field, into many other fields, but without using a delimiter, and using the position range instead?

For example:

bignumber = 16563764

I need to split it in:

account id = position [0 to 3] of field "bignumber"

company code = position [4 to 6] of field "bignumber"

operation code = position [7] of field "bignumber"

Thanks!!

ITWhisperer · ‎08-20-2021

| makeresults
| eval bignumber = 16563764
| eval digits=split(tostring(bignumber),"")
| eval accountId=mvjoin(mvindex(digits,0,3),"")
| eval companyCode=mvjoin(mvindex(digits,4,6),"")
| eval operationCode=mvindex(digits,7)
| fields - digits

View solution in original post

ITWhisperer · ‎08-20-2021

| makeresults
| eval bignumber = 16563764
| eval digits=split(tostring(bignumber),"")
| eval accountId=mvjoin(mvindex(digits,0,3),"")
| eval companyCode=mvjoin(mvindex(digits,4,6),"")
| eval operationCode=mvindex(digits,7)
| fields - digits

EberlinM · ‎08-20-2021

Thank you! Worked perfectly!

Split without delimiter

eval

field extraction

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation