Use Regex to extract a variable number of fields

JWBailey · ‎09-25-2013

I would like to perform search time field extraction on text that is already being stored in a field to break it up into multiple fields. The problem is I dont know how many fields.

An example would be to extract each word of text into its own field. So:

Field1="I love Splunk"

would become:

Sub1="I"

Sub2="love"

Sub3="Splunk"

And using the assumption that I have a consistent identifier to break up the fields (the space in this example), I need it to work for any amount of text in the original field.

My purpose for this is to identify specific details that are different between two text fields, not just that the fields as a whole are different. A more relevant example is identifying differences between two fields that contain a ton of information in Security Descriptor String Format.

So I guess a potential better question would be, does anyone know of a acceptable way to use splunk to make sense of Security Descriptor String Format?

yannK · ‎09-25-2013

use multivalue fields, and break them with space as separator.

see http://docs.splunk.com/Documentation/Splunk/5.0.5/Search/Parsemultivaluefields

example

* | makemv delim=" " Field1 | eval Field1_count=mvcount(Field1)

JWBailey · ‎09-25-2013

Yes.... thank you.

Use Regex to extract a variable number of fields

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!