Splunk Search

Splitting raw field after transaction

moinyuso96
Path Finder

I used transaction to combine 2 rows of raw fields:

raw

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345

4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345

4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890

1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

 

Is there a simple way to split the raw field into "raw1" and "raw2" as below (preferably without using rex)?

rawraw1raw2

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345

4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 123454015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345
4015_ABCD, Start, 8/12/2020 10:23:34 AM, 123454015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890

1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 678901113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890
Labels (2)
0 Karma
1 Solution

bowesmana
Super Champion

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)

View solution in original post

bowesmana
Super Champion

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)

View solution in original post

bowesmana
Super Champion

Also just FYI - as a generic solution to splitting multivalue fields where you don't always know you will have 2 fields, you can do this sort of thing

| foreach 0 1 2 3 4 5 [ eval raw<<FIELD>>=mvindex(raw,<<FIELD>>) ]

which would split up to 6 values of a multi-value field into raw0, raw1, raw2 etc.

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!