All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I use rex/regex in split() in deliminator?

0waste_splunk
Communicator
‎07-02-2013 01:26 PM

Hi,

I am facing problem in split() in eval query. Is there a way to add rex/regex in split function to as deliminator?

I have a field with a value in really big string and i want to split the word based on white space. some time there are multiple white spaces between words. anybody has any idea how should i use split function?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-03-2013 03:10 PM

The split function does not work that way. However, you could use the rex command to extract two new fields from an existing field; rex uses regular expressions. So, you could so something like this:

yoursearchhere
| rex field=originalField "(?<fieldPartA>\S+)\s+(?<fieldPartB>\S+)"

The good thing about this technique is that you could use any string or regular expression as the delimiter. In my example, I simply used \s+ for one or more instances of white space.

View solution in original post

Reply
Solved! Jump to solution

gbower333
Path Finder
‎11-30-2016 02:22 PM

I was able to make a new field from _raw with an intentional text put in then split on the text something like:

index=main host=foo1bar2
| rex mode=sed field=_raw "s/\d/KEYBOARDWHACK/g" 
| eval splitField=split(_raw,"KEYBOARDWHACK")
| mvexpand splitField

Then you can reference the new splitField for what ever else you want to do.

0 Karma
Reply
Solved! Jump to solution

smalpani
New Member
‎04-14-2014 12:31 PM

0waste_splunk: Once you were able to split the string in different parts, how did you access all the parts of that string (given that the number of parts are not exactly defined some has 2 some has 3 some has 6 etc.)? Can we loop over that string?

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-03-2013 03:10 PM

The split function does not work that way. However, you could use the rex command to extract two new fields from an existing field; rex uses regular expressions. So, you could so something like this:

yoursearchhere
| rex field=originalField "(?<fieldPartA>\S+)\s+(?<fieldPartB>\S+)"

The good thing about this technique is that you could use any string or regular expression as the delimiter. In my example, I simply used \s+ for one or more instances of white space.

Reply
Solved! Jump to solution

bmacias84
Champion
‎07-08-2013 03:40 PM

Check out this post which uses transforms and source_key to perform fields extractions already extracted fields: http://splunk-base.splunk.com/answers/83884/multi-line-field-extraction-in-propsconf?page=1&focusedA...

0 Karma
Reply
Solved! Jump to solution

0waste_splunk
Communicator
‎07-08-2013 02:34 PM

how can i access fieldPartA and fieldPartB?
and also i dont know before hand how many words will be there in that field.
e.g.
i have field conain as follow
OriginalField
2010-2001 2012-3432 2013-6532 .......
and there are 100s of lines like this some contain 3 value some contain 10 value.
i want to extract this,"2010-2001", kind of value so i can use join query on this extracted value.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...