topic Field extraction in a string in All Apps and Add-ons

Field extraction in a string

retesi — Tue, 12 Nov 2013 16:12:04 GMT

Hello to all,

how can I make a field extraction from a string:

qwertyuiop

from the third to seventh character..

In order to obtain as a result:

ertyuio

thanks in advance

Re: Field extraction in a string

kristian_kolb — Tue, 12 Nov 2013 16:19:17 GMT

well, with rex you can do it like so, assuming that the string 'qwertyuiop' is in a field called theString

... | rex field=theString "\w\w(?<result>\w{7})" |

OR with eval you can do it like this;

... | eval result=substr(theString, 3, 7) |

Hope that helps,

Re: Field extraction in a string

somesoni2 — Tue, 12 Nov 2013 16:28:09 GMT

Just small correction to rex

"\w\w\w(?\w{7})"

Re: Field extraction in a string

amit_saxena — Tue, 12 Nov 2013 16:54:31 GMT

Hi,

There seems to be typo in your post as you are looking to extract 7 characters starting from character number 3 and not characters between 3rd till 7th characters.

I am referring the same assumption which was mentioned in the post from "kristian.kolb".

Let me know if following works for you or not.

... | rex field=theString "\w{2}(?P<myvar>\w{7})"

Regards,
Amit Saxena

Re: Field extraction in a string

lukejadamec — Tue, 12 Nov 2013 16:59:14 GMT

\w\w(?\w{7}) and the eval will both grab the 3rd to 9th characters.

Re: Field extraction in a string

Ayn — Tue, 12 Nov 2013 17:06:23 GMT

Note that you will not be able to search on this field by default since it doesn't correspond to a unique token in Splunk's index. If that's not a problem, all is fine. 😃

Re: Field extraction in a string

jpondrom_splunk — Tue, 24 Oct 2017 14:27:59 GMT

You will need to make an adjustment to fields.conf on the search head.

Setting the INDEXED_VALUE to false should allow you to search on the extracted fields without the wild card.

If one does not exist, you will want to create a fields.conf in $splunkhome/etc/system/local and add the below stanza to it.

[ertyuio or whatever your extraction is named.]
INDEXED_VALUE=false

This should then allow the env=ertyuio search to return results.

Below is a link to the docs page for fields .conf

http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Fieldsconf

This is what we are changing, it is a bit counter intuitive, though ertyuio is in the event, since it is part of a word and does not exist exactly as "ertyuio" we want to set it as false as it does not count as being part of the raw text in the event.

INDEXED_VALUE = [true|false||]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.

Give that a try for me if you can and let me know your result. It works in my test environment.