Splunk Search

Breaking of one field values into 2-3 different fields

mohammedk01
Explorer

Hi,

I have a field called Location and It have data like Call Type, Site, Wing and Room all in just one field called Location. I want to break it down and separate Call Type, Wing and Room as 3 separate fields so that I can achieve filters on a dashboard.

Please let me know if that's achievable.

Thanks,

0 Karma

to4kawa
Ultra Champion
| stats count
| eval _raw="LOC_ID,LABEL
0000000100020003,Australia NSW Sydney Strathfield"
| multikv forceheader=1
| mvexpand _raw
| table LOC_ID LABEL
`comment("this is sample data")`
| rex field=LOC_ID "(?<Area_code>\d{4})(?<Country_code>\d{4})(?<States_code>\d{4})"
| rex field=LABEL "(?<Country>[^ ]+) (?<State>[^ ]+) (?<Region>[^ ]+) (?<Suburb>[^ ]+)"
| table LOC_ID Area_code Country_code States_code LABEL Country State Region Suburb

Hi, all. this is sample query.
How about this?
I divided it into four according to the example sentence.
Wasn't it divided into three?

@aberkow , I'm sorry to break into a conversation.

0 Karma

anthonymelita
Contributor

You should probably provide an example with delimiters, but you can do this with regex if nothing else.

0 Karma

mohammedk01
Explorer

Hi Anthony,

I have like two fields namely LOC_ID(Location Id) and LABEL(Location Description) so,

LOC_ID LABEL
0000000100020003 Australia NSW Sydney Strathfield

so as you can see LOC_ID has like 16 digits and each 4 defines a value for example the first 4 0000 defines Country, the next 4 0001 States and so on.

I want to break LABEL field and get 3 new fields separately as State, Region and Suburb like so that I can add 3 filters on my dashboard such as State Region and suburb

0 Karma

aberkow
Builder

I don't fully grasp which of the 4 values in label should go into which of the 3 buckets, but for LOC_ID you can use rex like anthony suggested or used substr if you know that it's always 16 digits https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/TextFunctions#substr.28X.2CY.2CZ.....

The syntax is as follows:
|eval Country=substr(LOC_ID, 1, 4) and this would take the first 4 digits of LOC_ID and create a new field called Country. You can do this for the other 3 as well. I like substr because it gives you a lot of string flexibility without the complexity of regex.

If you clarify the LABEL question I had I might be able to help there as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...