Solved: How split up a sentence string into multiple words

ibowman1995 · ‎12-02-2019

Hi,
let's say there is a field like this:
userData= Split this string

Is it possible to extract this sentence into different fields?
userData1=split
userData2=this
userData3=string

dindu · ‎12-02-2019

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

View solution in original post

dindu · ‎12-02-2019

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

to4kawa · ‎12-02-2019

Hi, @ibowman1995
Yes, you can. try this.

| makeresults 
| eval userData="Split this string"
| rex field=userData "(?<userData1>[^ ]+) (?<userData2>[^ ]+) (?<userData3>[^ ]+)"

richgalloway · ‎12-02-2019

Yes, it's possible. Look in the search docs for split. It returns a multi-value field with the words from the original string. Use mvindex() to access them.

... | eval words = split(userData, " ") 
| eval userData1=mvindex(userData, 0), userData2=mvindex(userData,1), userData3=mvindex(userData, 2)

---
If this reply helps you, Karma would be appreciated.

jacono64 · ‎02-07-2020

i can confirm this works bc i had multiple fields in one string.

How split up a sentence string into multiple words

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk