Skip to main content
Sumo Logic

Parse Delimited Logs Using Split

The Split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats.

To parse log entries from CSV files, you can use the simpler CSV operator.

Syntax:

Extract fields using index:

  • split fieldName extract 1 as A, 2 as B, 5 as E, 6 as F

Extract fields using position:

  • split fieldName extract A, B, _, _, E, F

Mix positional and index-based:

  • split fieldName extract A, B, 5 as E, F

Extract from an existing field:

  • parse “start*end” as fieldName | split fieldName extract 1 as A, 2 as B, 5 as E, 6 as F

Specify a delimiter, escape, and quote character:

  • split fieldName escape='\', delim=':', quote=''' extract A, B, _, _, E, F

Rules:

  • By default, the Split operator uses a comma (,) for a delimiter, backlash (\) for an escape character, and (“) quote for a quote character, though you can define your own if you like.
  • If you define your own escape, delimiter, and quote characters, they must all be different.
  • A field name is always required.

If you are using the keyvalue operator with delim, "keys" must come before "delim" in the query, or you will get an error.

Examples

Parsing a colon delimited file.

For example, if you had a file with the following colon delimited log message:

[05/09/2014 09:39:990] INFO little@sumologic.com:ABCD00001239:EFGH1234509:
"Upload Complete - Your message has been uploaded successfully."

You could parse the fields using the following query:

_sourceCategory=colon
| parse "] * *" as log_level, split_field
| split split_field delim=':' extract 1 as user, 2 as account_id, 3 as session_id, 4 as result

which produces results such as:

In another example, you could use the following query:

_sourceCategory=colon
| split _raw delim=':' extract 1 as user2, 2 as id, 3 as name

which provides results like:

Parsing a CSV file.

Use the following query to extract comma delimited fields as specified:

_sourceCategory=csv
| split _raw delim=',' extract 1 as user2, 2 as id, 3 as name

which produces results such as: