Solved: splitting key/value pair from a field without spac...

anasar · ‎06-23-2016

Hi,

One of my field is dc_size, which has value "US_0UK_9SG_20CA_5". Please let me know how to split it to key value pair as,
US 0
UK 9
SG 20
CA 5

and graph trends for US, UK, SG and CA.

Thank you.

javiergn · ‎06-23-2016

Either this if you want it to be multivalued (ignore the first two lines that I used to replicate your use case):

| stats count | fields - count
| eval raw = "US_0UK_9SG_20CA_5"
| rex field=raw max_match=0 "(?<DC>[A-Za-z]+)_(?<Size>\d+)"
| table DC, Size

Or this if you want it to be separate events:

| stats count | fields - count
| eval raw = "US_0UK_9SG_20CA_5"
| rex field=raw max_match=0 "(?<DCSize>[A-Za-z]+_\d+)"
| mvexpand DCSize
| rex field=DCSize "(?<DC>[A-Za-z]+)_(?<Size>\d+)"
| table DC, Size

View solution in original post

javiergn · ‎06-23-2016

Either this if you want it to be multivalued (ignore the first two lines that I used to replicate your use case):

| stats count | fields - count
| eval raw = "US_0UK_9SG_20CA_5"
| rex field=raw max_match=0 "(?<DC>[A-Za-z]+)_(?<Size>\d+)"
| table DC, Size

Or this if you want it to be separate events:

| stats count | fields - count
| eval raw = "US_0UK_9SG_20CA_5"
| rex field=raw max_match=0 "(?<DCSize>[A-Za-z]+_\d+)"
| mvexpand DCSize
| rex field=DCSize "(?<DC>[A-Za-z]+)_(?<Size>\d+)"
| table DC, Size

anasar · ‎06-30-2016

sorry for the delay javiergn. your answers worked perfectly for me.

splitting key/value pair from a field without space

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...