Solved: I want to split a field into two different fields ... - Splunk Community

Splunk Search

I want to split a field into two different fields for comparission,
my data is in the format:
address= 5555 xxxxx yyy Apt Z
desired result :
house number= 5555
street address = xxxx yyy

I have tried to use the split command but does not help me with what I want

1 Solution

Solution

Try rex.

... | rex field=address "(?<houseNumber>\d+)\s(?<streetAddress>.*)" | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

@jaleelahmed94, please try the following rex command:

<YourBaseSearch>
| table address
| rex field=address "address=\s(?<house_number>\d+)\s(?<street_address>.*)"

You can test the Regular Expression inside double quotes on regex101.com with your sample data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Solution

Try rex.

... | rex field=address "(?<houseNumber>\d+)\s(?<streetAddress>.*)" | ...

---
If this reply helps you, Karma would be appreciated.

Thanks, I was looking for something like this!

I instead used rex field=address "(?\s+)\s(?.*)"
because the address field was string.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...