Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Split pipe delimited line into named columns

Noorzaie
Explorer
‎01-05-2017 01:52 PM

I have the following text line:

COLC |BCCR7520|ACAUTLO1| 300|2017-01-03-12.00.12.000000|2017-01-03-12.02.30.000000| 159| 159| 0| 2M18| 0:01.03| 2M18| 0| 4|LOAD AUTH MASTER TBL|2017-01-03-12.00.12.000000|

I have tried this with no avail:

| rex field=.* "(?<f01>[^\|].*)\|(?<f02>.*)\|" |table f01, f02

Appreciate the help.

Reply
1 Solution
Solved! Jump to solution
Solution

nmohammed
Builder
‎01-06-2017 10:40 AM

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

View solution in original post

Reply
Solved! Jump to solution
Solution

nmohammed
Builder
‎01-06-2017 10:40 AM

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

Reply
Solved! Jump to solution

Noorzaie
Explorer
‎01-06-2017 10:54 AM

That did it!
Thank you for your help.

0 Karma
Reply
Solved! Jump to solution

Noorzaie
Explorer
‎01-06-2017 10:14 AM

Thank you for the input. But I seem to have no luck with it. I still get blanks in the result set.
Will the field=.* return all the data to the end of the line so the rest of the rule can break it down?
I see data in the "events" (299,102 rows). One row from the events:
RENC |OROB531K| | 0|2017-01-05-02.05.47.000000|2017-01-05-02.05.54.000000|17761|17761| 0| 7| 0:00.46|24H00|24H00| 1|LROP D/B RESTORE |2017-01-04-02.04.57.000000| |0001-01-01| | 0| | -| -| -|

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...