Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split a value that is delimited lines inside of a delimited line

feickertmd
Communicator
‎11-12-2014 07:25 AM

Here's a puzzler for you all.

I have SharePoint search logs coming in. The results field has a value like this:
4##18.3953018188477##docURL##False##False##True##False##||0##18.5134868621826##docURL##False##False##True##False##||2##18.4921894073486##docURL##False##False##True##False##||... etc.

Note that there exist TWO delimiters: || to separate the results sets and ## to separate the values within the result set.

I know I can use split to separate at || and create a MV field. But is it possible from that point to do this:

  1. Hit each of the new values.
  2. Split them to MV files on ##.
  3. Extract the value for display.

Or, of course, is there a different way to extract those doc URLs? I want to display them in a report of search string and returned results.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 12:49 PM

You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 12:49 PM

You could use rex or the field extractor to get the URL saved as field. Its hard to give an example for rex without seeing how the search is structured within the docURL, but it might look something like:
| rex "url_base_here(?<docURL>search_string_here)"

0 Karma
Reply
Solved! Jump to solution

feickertmd
Communicator
‎11-12-2014 01:01 PM

Since what I'm after will be two fields from each part of the string, I plan to run rex to extract and , then use mvzip() and and mvexpand to create new columns of data.

Thanks for the answer!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 09:26 AM

How are the events separated at the present moment? Assuming these are already indexed too ?

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2014 09:50 AM

So your question is focused on a different way to extract the doc urls ? Is there a full actual url in the real data? Or is the it value occurring before (e.g. 18.5134868621826##docURL ) or is it after (e.g. docURL##False)? I'm guessing it isn't the extraction of the literal string 'docURL'.

0 Karma
Reply
Solved! Jump to solution

feickertmd
Communicator
‎11-12-2014 10:10 AM

The string "docURL" is a placeholder for a real URL

0 Karma
Reply
Solved! Jump to solution

feickertmd
Communicator
‎11-12-2014 09:31 AM

Right now there is no separation of the value in that field. It exists in the form I showed you above as a value in a single event.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...