Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to divide field value using "line break" as a delimiter

salt87
Engager
‎07-23-2019 05:32 PM

I have a lookup that I try to divide using a "line break" as a delimiter. It's kind of hard to explain so I attached a screenshot of what I would like to do.
alt text
In the screenshot you can see that there is a line break between the data (eg. Data1 and Data2).

Would this be possible to do in splunk? thanks

Preview file
1 KB
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-28-2019 08:29 PM

I wonder if some of your terminology is keeping folks from being able to form a constructive answer... a lookup in Splunk is one of several formats, but they are all specific and structured. The delimiter is specific. https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutlookupsandfieldactions

Depending on how large and dynamic this file is, you might be better off pre-processing it and then feeding it in as a lookup either to the KV store or as a csv. But you could also legitimately read that file (if it is very dynamic and perhaps very large) into an index (you can have as many indexes as you like) using whatever you like as your delimiter. When the destination is an index... Splunk has a very powerful parsing capability that allows you to describe whatever the shape of your line and the break. You would do this in the props.conf file.

The confusion I think is that you appear to have data that is the result of a report on top (not events, nor is it a format for which you would use as a lookup) and on the bottom is something more along the lines of what you might use for a lookup. But ALL of it is "pipe" delimited. Each line would be broken with a carriage return and line feed ([\r\n]+) and you can choose to represent all of it in a number of ways. You are going to want to start here:

Hopefully this will get you started... if not. Can you perhaps elaborate on your use case please?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply

woodcock
Esteemed Legend
‎07-28-2019 05:50 AM

Splunk is a plain-text tool so why in the world would you post an image? We cannot help you.

0 Karma
Reply

salt87
Engager
‎08-11-2019 04:18 PM

" It's kind of hard to explain so I attached a screenshot of what I would like to do."

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2019 07:55 PM

You are still not make sense. Show us your raw event data, then show us a mockup of your desired final output.

0 Karma
Reply

jawaharas
Motivator
‎07-26-2019 11:09 PM

Is this your input file? And are you trying to add this file into Splunk and process it?

If yes, what's the expected processed result out of this input file?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...