Solved: Re: Split pipe delimited line into named columns

Noorzaie · ‎01-05-2017

I have the following text line:

COLC |BCCR7520|ACAUTLO1| 300|2017-01-03-12.00.12.000000|2017-01-03-12.02.30.000000| 159| 159| 0| 2M18| 0:01.03| 2M18| 0| 4|LOAD AUTH MASTER TBL|2017-01-03-12.00.12.000000|

I have tried this with no avail:

| rex field=.* "(?<f01>[^\|].*)\|(?<f02>.*)\|" |table f01, f02

Appreciate the help.

nmohammed · ‎01-06-2017

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

View solution in original post

nmohammed · ‎01-06-2017

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

Noorzaie · ‎01-06-2017

That did it!
Thank you for your help.

Noorzaie · ‎01-06-2017

Thank you for the input. But I seem to have no luck with it. I still get blanks in the result set.
Will the field=.* return all the data to the end of the line so the rest of the rule can break it down?
I see data in the "events" (299,102 rows). One row from the events:
RENC |OROB531K| | 0|2017-01-05-02.05.47.000000|2017-01-05-02.05.54.000000|17761|17761| 0| 7| 0:00.46|24H00|24H00| 1|LROP D/B RESTORE |2017-01-04-02.04.57.000000| |0001-01-01| | 0| | -| -| -|

Split pipe delimited line into named columns

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation