Hi,
I am facing problem in split() in eval query. Is there a way to add rex/regex in split function to as deliminator?
I have a field with a value in really big string and i want to split the word based on white space. some time there are multiple white spaces between words. anybody has any idea how should i use split function?
The split
function does not work that way. However, you could use the rex
command to extract two new fields from an existing field; rex
uses regular expressions. So, you could so something like this:
yoursearchhere
| rex field=originalField "(?<fieldPartA>\S+)\s+(?<fieldPartB>\S+)"
The good thing about this technique is that you could use any string or regular expression as the delimiter. In my example, I simply used \s+
for one or more instances of white space.
I was able to make a new field from _raw with an intentional text put in then split on the text something like:
index=main host=foo1bar2
| rex mode=sed field=_raw "s/\d/KEYBOARDWHACK/g"
| eval splitField=split(_raw,"KEYBOARDWHACK")
| mvexpand splitField
Then you can reference the new splitField for what ever else you want to do.
0waste_splunk: Once you were able to split the string in different parts, how did you access all the parts of that string (given that the number of parts are not exactly defined some has 2 some has 3 some has 6 etc.)? Can we loop over that string?
The split
function does not work that way. However, you could use the rex
command to extract two new fields from an existing field; rex
uses regular expressions. So, you could so something like this:
yoursearchhere
| rex field=originalField "(?<fieldPartA>\S+)\s+(?<fieldPartB>\S+)"
The good thing about this technique is that you could use any string or regular expression as the delimiter. In my example, I simply used \s+
for one or more instances of white space.
Check out this post which uses transforms and source_key to perform fields extractions already extracted fields: http://splunk-base.splunk.com/answers/83884/multi-line-field-extraction-in-propsconf?page=1&focusedA...
how can i access fieldPartA and fieldPartB?
and also i dont know before hand how many words will be there in that field.
e.g.
i have field conain as follow
OriginalField
2010-2001 2012-3432 2013-6532 .......
and there are 100s of lines like this some contain 3 value some contain 10 value.
i want to extract this,"2010-2001", kind of value so i can use join query on this extracted value.