Solved: Re: seperate fields of events by pipes

indeed_2000 · ‎01-17-2022

Hi

I have events like this:

1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1

How can I seperate by pipe fields in search? (without change trans or any other config)

Thanks

ITWhisperer · ‎01-17-2022

That's a bit more involved (without changing configs)

| makeresults
| eval _raw="1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1"
| eval field=split(_raw,"|")
| eval name=mvrange(1,mvcount(field)+1)
| eval name=mvmap(name,"field".name)
| eval namevalue=mvzip(name,field,"|")
| streamstats count as row 
| mvexpand namevalue
| eval name=mvindex(split(namevalue,"|"),0)
| eval value=mvindex(split(namevalue,"|"),1)
| eval {name}=value
| fields - field name value namevalue
| stats values(*) as * by row

View solution in original post

ITWhisperer · ‎01-17-2022

| eval field=split(_raw,"|")

indeed_2000 · ‎01-17-2022

it just create one field that all fileds exist on that.

expected result is put them in seperate fields for each columns inot the table, like this:

field1 field2 field3 field4 ...

1900/10/26 1900/10/25 333 CHECKOUT ....

Any idea?

Thanks

ITWhisperer · ‎01-17-2022

That's a bit more involved (without changing configs)

| makeresults
| eval _raw="1900/10/26|1900/10/25|333|CHECKOUT |U |2222|000|00 |14|111111 |000000000 |0000 | |12345678998|123456789987|1236549877896543 |3333333333333 | |1900/10/25|23:47:18|1900/10/25|23:47:19|1900/10/25|23:47:19|00000000000|000000000000|CTT|WQQ| |12345678|000000325585632|AB| | | | | |000000000000| | |000000000000|00000000|00000000|00000000|00000000| | | | | |null|0|IDD1"
| eval field=split(_raw,"|")
| eval name=mvrange(1,mvcount(field)+1)
| eval name=mvmap(name,"field".name)
| eval namevalue=mvzip(name,field,"|")
| streamstats count as row 
| mvexpand namevalue
| eval name=mvindex(split(namevalue,"|"),0)
| eval value=mvindex(split(namevalue,"|"),1)
| eval {name}=value
| fields - field name value namevalue
| stats values(*) as * by row

seperate fields of events by pipes

eval

fields

rex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms