Solved: Re: Split pipe delimited line into named columns

Noorzaie · ‎01-05-2017

I have the following text line:

COLC |BCCR7520|ACAUTLO1| 300|2017-01-03-12.00.12.000000|2017-01-03-12.02.30.000000| 159| 159| 0| 2M18| 0:01.03| 2M18| 0| 4|LOAD AUTH MASTER TBL|2017-01-03-12.00.12.000000|

I have tried this with no avail:

| rex field=.* "(?<f01>[^\|].*)\|(?<f02>.*)\|" |table f01, f02

Appreciate the help.

nmohammed · ‎01-06-2017

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

View solution in original post

nmohammed · ‎01-06-2017

try using this -

| rex field=_raw "^(?[^|].+)|(?[^|].+)|" | table f01, f02

Noorzaie · ‎01-06-2017

That did it!
Thank you for your help.

Noorzaie · ‎01-06-2017

Thank you for the input. But I seem to have no luck with it. I still get blanks in the result set.
Will the field=.* return all the data to the end of the line so the rest of the rule can break it down?
I see data in the "events" (299,102 rows). One row from the events:
RENC |OROB531K| | 0|2017-01-05-02.05.47.000000|2017-01-05-02.05.54.000000|17761|17761| 0| 7| 0:00.46|24H00|24H00| 1|LROP D/B RESTORE |2017-01-04-02.04.57.000000| |0001-01-01| | 0| | -| -| -|

Split pipe delimited line into named columns

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!