https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253131#M175838 <P>Hi- I have some strings separated by "." delimiter. For example, <BR /> a.b.c.d<BR /> x.y.z<BR /> p.q.r.s.t.u</P> <P>I want to be able to extract the last two fields with the delimiter. So, I want my output to be:<BR /> c.d<BR /> y.z<BR /> t.u</P> <P>Is there a method to perform such action?<BR /> Thanks,<BR /> MA</P> Wed, 25 Jan 2017 14:00:44 GMT masfar 2017-01-25T14:00:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253131#M175838 <P>Hi- I have some strings separated by "." delimiter. For example, <BR /> a.b.c.d<BR /> x.y.z<BR /> p.q.r.s.t.u</P> <P>I want to be able to extract the last two fields with the delimiter. So, I want my output to be:<BR /> c.d<BR /> y.z<BR /> t.u</P> <P>Is there a method to perform such action?<BR /> Thanks,<BR /> MA</P> Wed, 25 Jan 2017 14:00:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253131#M175838 masfar 2017-01-25T14:00:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253132#M175839 <P>How about trying this, let's say your data is in field <CODE>myField</CODE> which has strings like <CODE>w.x.y.z</CODE></P> <PRE><CODE>your query to return events | eval splitString=split(myField, ".") | eval count=mvcount(splitString) | eval requiredString=mvindex( splitString, count-2).".".mvindex(splitString, count-1) | table requiredString </CODE></PRE> Wed, 25 Jan 2017 18:02:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253132#M175839 gokadroid 2017-01-25T18:02:52Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253133#M175840 <P>This can also work, saves the "eval count=mvcount(splitstring)" clause<BR /> | eval splitString=split(myField, ".")<BR /> | eval requiredString=mvindex(splitString, -2).".".mvindex(splitString, -1)<BR /> | table requiredString</P> <P>It appears the mvindex list can use negative indices to start from the end of the list.</P> Wed, 25 Jan 2017 18:30:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253133#M175840 anshu 2017-01-25T18:30:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253134#M175841 <P>Thanks, that works!</P> Wed, 25 Jan 2017 20:28:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253134#M175841 masfar 2017-01-25T20:28:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253135#M175842 <P>An alternative command (rex). Assuming dot as delimiter. Regex might need updates based on type of values the string between delimiter contains.</P> <PRE><CODE>your base search | rex field=myField "\.(?&lt;requiredString&gt;\w+\.\w+)$" | table myField requiredString </CODE></PRE> Wed, 25 Jan 2017 20:35:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253135#M175842 somesoni2 2017-01-25T20:35:44Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253136#M175843 <P>Building on somesoni2's expression, this would allow for any characters other than the delimiter: </P> <PRE><CODE>your base search | rex field=myField "\.(?&lt;requiredString&gt;[^.]+\.[^.]+)$" | table myField requiredString </CODE></PRE> Wed, 25 Jan 2017 20:54:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253136#M175843 anshu 2017-01-25T20:54:22Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253137#M175844 <P>Thanks, somesoni2!</P> Thu, 26 Jan 2017 20:26:46 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-last-two-fields-of-a-string-separated-by-a/m-p/253137#M175844 masfar 2017-01-26T20:26:46Z