Use Regex to extract a variable number of fields

JWBailey · ‎09-25-2013

I would like to perform search time field extraction on text that is already being stored in a field to break it up into multiple fields. The problem is I dont know how many fields.

An example would be to extract each word of text into its own field. So:

Field1="I love Splunk"

would become:

Sub1="I"

Sub2="love"

Sub3="Splunk"

And using the assumption that I have a consistent identifier to break up the fields (the space in this example), I need it to work for any amount of text in the original field.

My purpose for this is to identify specific details that are different between two text fields, not just that the fields as a whole are different. A more relevant example is identifying differences between two fields that contain a ton of information in Security Descriptor String Format.

So I guess a potential better question would be, does anyone know of a acceptable way to use splunk to make sense of Security Descriptor String Format?

yannK · ‎09-25-2013

use multivalue fields, and break them with space as separator.

see http://docs.splunk.com/Documentation/Splunk/5.0.5/Search/Parsemultivaluefields

example

* | makemv delim=" " Field1 | eval Field1_count=mvcount(Field1)

JWBailey · ‎09-25-2013

Yes.... thank you.

Use Regex to extract a variable number of fields

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms