https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519375#M146275 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>First, Thanks for your answer.</P><P>&nbsp;</P><P>And I tried like below</P><P>MYSEARCH | rex field=pod "pod(?&lt;number&gt;\d+)" | sort podnumber | table pod podnumber</P><P>&nbsp;</P><P>Erased the part "\-" because that makes no results, although i don't know why.</P><P>&nbsp;</P><P>And * part could be different by row, so it doesn't really helpful I guess.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 14 Sep 2020 08:47:57 GMT splunkkid 2020-09-14T08:47:57Z https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519365#M146269 <P>Hello,</P><P>&nbsp;</P><P>I am currently confront some problem here.</P><P>I want to substring data in specific column using rex.</P><P>&nbsp;</P><P>The column's data looks like below(All same or similar style).</P><P>"****-****-**POD4-***"</P><P>&nbsp;</P><P>In above case, all&nbsp; I need is the number after the word POD. ( * means some alphabets)</P><P>&nbsp;</P><P>Any ideas?&nbsp;</P><P>Thank you.</P><P>&nbsp;</P> Mon, 14 Sep 2020 08:17:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519365#M146269 splunkkid 2020-09-14T08:17:55Z https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519372#M146272 <LI-CODE lang="markup">| rex field=column "POD(?&lt;number&gt;\d+)\-"</LI-CODE><P>where column is the field name your data is in.</P><P>Is it always POD? If not, is it always&nbsp;<SPAN>****-****-**POD4-***&nbsp; 4 letters "-" 4 letters "-" 2 letters 3 characters number (at least 1 digit) "-" 3 letters?</SPAN></P> Mon, 14 Sep 2020 08:32:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519372#M146272 ITWhisperer 2020-09-14T08:32:05Z https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519373#M146273 <P>replace &lt;choosefield&gt; with field name from which you want to extract number after word POD. number will be extracted to new field called "podnumber"</P><LI-CODE lang="markup">| rex field=&lt;choosefield&gt; "POD(?&lt;podnumber&gt;\d+)"</LI-CODE> Mon, 14 Sep 2020 08:33:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519373#M146273 thambisetty 2020-09-14T08:33:29Z https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519375#M146275 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>First, Thanks for your answer.</P><P>&nbsp;</P><P>And I tried like below</P><P>MYSEARCH | rex field=pod "pod(?&lt;number&gt;\d+)" | sort podnumber | table pod podnumber</P><P>&nbsp;</P><P>Erased the part "\-" because that makes no results, although i don't know why.</P><P>&nbsp;</P><P>And * part could be different by row, so it doesn't really helpful I guess.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 14 Sep 2020 08:47:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519375#M146275 splunkkid 2020-09-14T08:47:57Z https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519376#M146276 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp;</P><P>&nbsp;</P><P>Thanks! This worked exactly how I want.</P> Mon, 14 Sep 2020 08:48:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-substring-using-rex/m-p/519376#M146276 splunkkid 2020-09-14T08:48:42Z