Documenting Problems That Were Difficult To Find The Answer To

Selecting a column in tab-delimited text in Splunk

So you have a raw field that looks something like this:

field1	field2	field3	field4	field5

… where the gaps between fields are tab characters (“\t” or ASCII character 9).

You might think the way to select the 3rd field would be as follows:

index=myindex mysearchterm
  |eval fields=split(_raw, "\t" )
  |eval desiredfield=mvindex(fields,3)

But no. The Splunk split command does not recognise “\t” as the tab character.

A work around is to replace all the tabs with a unique string and split on this instead. So the above could be re-written as:

index=myindex mysearchterm
  |eval myraw=_raw
  |rex mode=sed field=myraw "s/\t/MYUNIQUESEPARATOR/g"
  |eval fields=split(myraw, "MYUNIQUESEPARATOR" )
  |eval desiredfield=mvindex(fields,3)

