I have a lookup that I try to divide using a "line break" as a delimiter. It's kind of hard to explain so I attached a screenshot of what I would like to do.
In the screenshot you can see that there is a line break between the data (eg. Data1 and Data2).
Would this be possible to do in splunk? thanks
I wonder if some of your terminology is keeping folks from being able to form a constructive answer... a lookup in Splunk is one of several formats, but they are all specific and structured. The delimiter is specific. https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutlookupsandfieldactions
Depending on how large and dynamic this file is, you might be better off pre-processing it and then feeding it in as a lookup either to the KV store or as a csv. But you could also legitimately read that file (if it is very dynamic and perhaps very large) into an index (you can have as many indexes as you like) using whatever you like as your delimiter. When the destination is an index... Splunk has a very powerful parsing capability that allows you to describe whatever the shape of your line and the break. You would do this in the props.conf file.
The confusion I think is that you appear to have data that is the result of a report on top (not events, nor is it a format for which you would use as a lookup) and on the bottom is something more along the lines of what you might use for a lookup. But ALL of it is "pipe" delimited. Each line would be broken with a carriage return and line feed ([\r\n]+)
and you can choose to represent all of it in a number of ways. You are going to want to start here:
Hopefully this will get you started... if not. Can you perhaps elaborate on your use case please?
Splunk is a plain-text tool so why in the world would you post an image? We cannot help you.
" It's kind of hard to explain so I attached a screenshot of what I would like to do."
You are still not make sense. Show us your raw event data, then show us a mockup of your desired final output.
Is this your input file? And are you trying to add this file into Splunk and process it?
If yes, what's the expected processed result out of this input file?