Selecting a column in tab-delimited text in Splunk
So you have a raw field that looks something like this:
field1 field2 field3 field4 field5
… where the gaps between fields are tab characters (“\t” or ASCII character 9).
You might think the way to select the 3rd field would be as follows:
|eval fields=split(_raw, "\t" )
But no. The Splunk split command does not recognise “\t” as the tab character.
A work around is to replace all the tabs with a unique string and split on this instead. So the above could be re-written as:
|rex mode=sed field=myraw "s/\t/MYUNIQUESEPARATOR/g"
|eval fields=split(myraw, "MYUNIQUESEPARATOR" )