Solved: Splitting raw field after transaction

moinyuso96 · ‎06-16-2021

I used transaction to combine 2 rows of raw fields:

raw

4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345

4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345

4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345

1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890

1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

Is there a simple way to split the raw field into "raw1" and "raw2" as below (preferably without using rex)?

raw	raw1	raw2
4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345 4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345	4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345	4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345
4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345	4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345
1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890 1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890	1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890	1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890

bowesmana · ‎06-16-2021

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)

View solution in original post

bowesmana · ‎06-16-2021

Using mvindex on the multivalue raw field

| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)

bowesmana · ‎06-16-2021

Also just FYI - as a generic solution to splitting multivalue fields where you don't always know you will have 2 fields, you can do this sort of thing

| foreach 0 1 2 3 4 5 [ eval raw<<FIELD>>=mvindex(raw,<<FIELD>>) ]

which would split up to 6 values of a multi-value field into raw0, raw1, raw2 etc.

Splitting raw field after transaction

field extraction

transaction

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment