- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splitting raw field after transaction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I used transaction to combine 2 rows of raw fields:
| raw |
4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345 4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345 |
| 4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 |
1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890 1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890 |
Is there a simple way to split the raw field into "raw1" and "raw2" as below (preferably without using rex)?
| raw | raw1 | raw2 |
4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345 4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345 | 4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345 | 4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345 |
| 4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 | 4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 | |
1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890 1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890 | 1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890 | 1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Using mvindex on the multivalue raw field
| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Using mvindex on the multivalue raw field
| eval raw1=mvindex(raw,0), raw2=mvindex(raw,1)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Also just FYI - as a generic solution to splitting multivalue fields where you don't always know you will have 2 fields, you can do this sort of thing
| foreach 0 1 2 3 4 5 [ eval raw<<FIELD>>=mvindex(raw,<<FIELD>>) ]which would split up to 6 values of a multi-value field into raw0, raw1, raw2 etc.
Register for FREE Today!
We've made .conf21 totally virtual
and totally FREE! Our completely
online experience will run from 10/19
through 10/20 with some additional
events, too!
Learn More or Register Now >
