Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to divide field value using "line break" as a delimiter

salt87
Engager
‎07-23-2019 05:32 PM

I have a lookup that I try to divide using a "line break" as a delimiter. It's kind of hard to explain so I attached a screenshot of what I would like to do.
alt text
In the screenshot you can see that there is a line break between the data (eg. Data1 and Data2).

Would this be possible to do in splunk? thanks

Preview file
1 KB
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-28-2019 08:29 PM

I wonder if some of your terminology is keeping folks from being able to form a constructive answer... a lookup in Splunk is one of several formats, but they are all specific and structured. The delimiter is specific. https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Aboutlookupsandfieldactions

Depending on how large and dynamic this file is, you might be better off pre-processing it and then feeding it in as a lookup either to the KV store or as a csv. But you could also legitimately read that file (if it is very dynamic and perhaps very large) into an index (you can have as many indexes as you like) using whatever you like as your delimiter. When the destination is an index... Splunk has a very powerful parsing capability that allows you to describe whatever the shape of your line and the break. You would do this in the props.conf file.

The confusion I think is that you appear to have data that is the result of a report on top (not events, nor is it a format for which you would use as a lookup) and on the bottom is something more along the lines of what you might use for a lookup. But ALL of it is "pipe" delimited. Each line would be broken with a carriage return and line feed ([\r\n]+) and you can choose to represent all of it in a number of ways. You are going to want to start here:

Hopefully this will get you started... if not. Can you perhaps elaborate on your use case please?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply

woodcock
Esteemed Legend
‎07-28-2019 05:50 AM

Splunk is a plain-text tool so why in the world would you post an image? We cannot help you.

0 Karma
Reply

salt87
Engager
‎08-11-2019 04:18 PM

" It's kind of hard to explain so I attached a screenshot of what I would like to do."

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2019 07:55 PM

You are still not make sense. Show us your raw event data, then show us a mockup of your desired final output.

0 Karma
Reply

jawaharas
Motivator
‎07-26-2019 11:09 PM

Is this your input file? And are you trying to add this file into Splunk and process it?

If yes, what's the expected processed result out of this input file?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...