Getting Data In

How split up a sentence string into multiple words

ibowman1995
Engager

Hi,
let's say there is a field like this:
userData= Split this string

Is it possible to extract this sentence into different fields?
userData1=split
userData2=this
userData3=string

Tags (2)
0 Karma
1 Solution

dindu
Contributor

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

View solution in original post

dindu
Contributor

Hi,

You could try this as well.
Please test and let us know.

| makeresults 
| eval userData="Split this string"
|table userData
|eval words=split(userData," ")
|eval userData1=mvindex(words,0),userData2=mvindex(words,1),userData3=mvindex(words,2)

to4kawa
Ultra Champion

Hi, @ibowman1995
Yes, you can. try this.

| makeresults 
| eval userData="Split this string"
| rex field=userData "(?<userData1>[^ ]+) (?<userData2>[^ ]+) (?<userData3>[^ ]+)"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, it's possible. Look in the search docs for split. It returns a multi-value field with the words from the original string. Use mvindex() to access them.

... | eval words = split(userData, " ") 
| eval userData1=mvindex(userData, 0), userData2=mvindex(userData,1), userData3=mvindex(userData, 2)
---
If this reply helps you, Karma would be appreciated.

jacono64
Engager

i can confirm this works bc i had multiple fields in one string.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...