Hi,
I have a field called Location and It have data like Call Type, Site, Wing and Room all in just one field called Location. I want to break it down and separate Call Type, Wing and Room as 3 separate fields so that I can achieve filters on a dashboard.
Please let me know if that's achievable.
Thanks,
| stats count
| eval _raw="LOC_ID,LABEL
0000000100020003,Australia NSW Sydney Strathfield"
| multikv forceheader=1
| mvexpand _raw
| table LOC_ID LABEL
`comment("this is sample data")`
| rex field=LOC_ID "(?<Area_code>\d{4})(?<Country_code>\d{4})(?<States_code>\d{4})"
| rex field=LABEL "(?<Country>[^ ]+) (?<State>[^ ]+) (?<Region>[^ ]+) (?<Suburb>[^ ]+)"
| table LOC_ID Area_code Country_code States_code LABEL Country State Region Suburb
Hi, all. this is sample query.
How about this?
I divided it into four according to the example sentence.
Wasn't it divided into three?
@aberkow , I'm sorry to break into a conversation.
You should probably provide an example with delimiters, but you can do this with regex if nothing else.
Hi Anthony,
I have like two fields namely LOC_ID(Location Id) and LABEL(Location Description) so,
LOC_ID LABEL
0000000100020003 Australia NSW Sydney Strathfield
so as you can see LOC_ID has like 16 digits and each 4 defines a value for example the first 4 0000 defines Country, the next 4 0001 States and so on.
I want to break LABEL field and get 3 new fields separately as State, Region and Suburb like so that I can add 3 filters on my dashboard such as State Region and suburb
I don't fully grasp which of the 4 values in label should go into which of the 3 buckets, but for LOC_ID you can use rex
like anthony suggested or used substr
if you know that it's always 16 digits https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/TextFunctions#substr.28X.2CY.2CZ.....
The syntax is as follows:
|eval Country=substr(LOC_ID, 1, 4)
and this would take the first 4 digits of LOC_ID and create a new field called Country. You can do this for the other 3 as well. I like substr because it gives you a lot of string flexibility without the complexity of regex.
If you clarify the LABEL question I had I might be able to help there as well.