Splunk Search

seperate fields of events by pipes

indeed_2000
Builder
Hi
I have events like this:
 
1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1
 
How can I seperate by pipe fields in search? (without change trans or any other config)
 
Thanks
Labels (3)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's a bit more involved (without changing configs)

| makeresults
| eval _raw="1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1"
| eval field=split(_raw,"|")
| eval name=mvrange(1,mvcount(field)+1)
| eval name=mvmap(name,"field".name)
| eval namevalue=mvzip(name,field,"|")
| streamstats count as row 
| mvexpand namevalue
| eval name=mvindex(split(namevalue,"|"),0)
| eval value=mvindex(split(namevalue,"|"),1)
| eval {name}=value
| fields - field name value namevalue
| stats values(*) as * by row

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval field=split(_raw,"|")
0 Karma

indeed_2000
Builder

it just create one field that all fileds exist on that.

 

expected result is put them in seperate fields for each columns inot the table, like this:

field1                      field2                     field3    field4                     ...

1900/10/26   1900/10/25   333       CHECKOUT       ....

 

Any idea?

Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's a bit more involved (without changing configs)

| makeresults
| eval _raw="1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1"
| eval field=split(_raw,"|")
| eval name=mvrange(1,mvcount(field)+1)
| eval name=mvmap(name,"field".name)
| eval namevalue=mvzip(name,field,"|")
| streamstats count as row 
| mvexpand namevalue
| eval name=mvindex(split(namevalue,"|"),0)
| eval value=mvindex(split(namevalue,"|"),1)
| eval {name}=value
| fields - field name value namevalue
| stats values(*) as * by row
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>