Getting Data In

How to split a value that is delimited lines inside of a delimited line

feickertmd
Communicator

Here's a puzzler for you all.

I have SharePoint search logs coming in. The results field has a value like this:
4##18.3953018188477##docURL##False##False##True##False##||0##18.5134868621826##docURL##False##False##True##False##||2##18.4921894073486##docURL##False##False##True##False##||... etc.

Note that there exist TWO delimiters: || to separate the results sets and ## to separate the values within the result set.

I know I can use split to separate at || and create a MV field. But is it possible from that point to do this:

  1. Hit each of the new values.
  2. Split them to MV files on ##.
  3. Extract the value for display.

Or, of course, is there a different way to extract those doc URLs? I want to display them in a report of search string and returned results.

Thanks!

Tags (1)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"

View solution in original post

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"

0 Karma

feickertmd
Communicator

Since what I'm after will be two fields from each part of the string, I plan to run rex to extract and , then use mvzip() and and mvexpand to create new columns of data.

Thanks for the answer!

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

How are the events separated at the present moment? Assuming these are already indexed too ?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

So your question is focused on a different way to extract the doc urls ? Is there a full actual url in the real data? Or is the it value occurring before (e.g. 18.5134868621826##docURL ) or is it after (e.g. docURL##False)? I'm guessing it isn't the extraction of the literal string 'docURL'.

0 Karma

feickertmd
Communicator

The string "docURL" is a placeholder for a real URL

0 Karma

feickertmd
Communicator

Right now there is no separation of the value in that field. It exists in the form I showed you above as a value in a single event.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...