Hi,
I'm new to splunk, so please excuse the basic question. I have some data in the following format:
Field1=abcdefg;Field2=12345;field3=98373
Field1=abcdefg&Field2=12345;field3=98373
Note the different separators. I can quite easily extract one of these using the following command:
... | rex field=_raw "Field1=(?<Field1>.*)Field2=(?<Field2>.*)"Field3=(?<Field3>.*)
I thought I could expand on this, in order to extract both of them at the same time, so I tried this, but it does not seem to work:
... | rex field=_raw "Field1[;&](?<Field1>.*)Field2[;&](?<Field2>.*)"Field3[;&](?<Field3>.*)
Could someone please help with this? I imagine there probably is a better way to do this, but I am still trying different ways. Is there a way to just give my delimiters and have it extract everything in it's own field?
Thanks
... View more