https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567420#M197736 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225094">@mcaulsc</a>,</P><P>Please try something like this:</P><LI-CODE lang="markup">index=your_index | eval BB=substr(your_field,5,2) | table _time BB</LI-CODE><P>or using a regex:</P><LI-CODE lang="markup">index=your_index | rex field=your_field "\w{4}(?&lt;BB&gt;\w{2})\w{2"} | table _time BB</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Sep 2021 13:43:52 GMT gcusello 2021-09-17T13:43:52Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567415#M197734 <P>Hi,</P><P>in anything else this would seem very simple but I seem to be flummoxed trying to do this in splunk. Probably not helped by having zero regex knowledge.</P><P>I have a field that has values in the format:&nbsp; AAAABBCC</P><P>I want to return all values that have BB in position 5, if anyone could be so kind as to&nbsp; provide a sample I can then pull it apart and try and work out how it does it.</P><P>Thanks.</P> Fri, 17 Sep 2021 13:35:31 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567415#M197734 mcaulsc 2021-09-17T13:35:31Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567420#M197736 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225094">@mcaulsc</a>,</P><P>Please try something like this:</P><LI-CODE lang="markup">index=your_index | eval BB=substr(your_field,5,2) | table _time BB</LI-CODE><P>or using a regex:</P><LI-CODE lang="markup">index=your_index | rex field=your_field "\w{4}(?&lt;BB&gt;\w{2})\w{2"} | table _time BB</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Sep 2021 13:43:52 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567420#M197736 gcusello 2021-09-17T13:43:52Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567423#M197739 <P>Assuming characters 1-4=A 5-6=B and 7-8=C, the following should work:<BR /><BR />| rex field=YourField "(?&lt;A_values&gt;....)(?&lt;B_values&gt;..)(?&lt;C_values&gt;..)<BR /><BR />You should now have three fields A_values, B_values, and C_values.</P><P>&nbsp;</P> Fri, 17 Sep 2021 13:45:03 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567423#M197739 solarboyz1 2021-09-17T13:45:03Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567428#M197742 <P>thanks, that gets me a list of all the possible values in pos 5 for 2. What I want is the whole value if I have a match.</P><P>so if I have AAAABBCC I have a match on BB in pos5,2 so return AAAABBCC</P> Fri, 17 Sep 2021 13:50:28 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567428#M197742 mcaulsc 2021-09-17T13:50:28Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567430#M197743 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225094">@mcaulsc</a>,</P><P>ok, if you want to search the values "xx" in the fifth and sixth posizion, try something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=your_index | eval BB=substr(your_field,5,2) | search BB="xx" | table _time your_field BB</LI-CODE><P>&nbsp;</P><P>&nbsp;Ciao.</P><P>Giuseppe</P> Fri, 17 Sep 2021 13:53:52 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567430#M197743 gcusello 2021-09-17T13:53:52Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567433#M197745 <P>That's the one, been tying myself in knots with this for far longer than I should and ended up down regex rabbit holes that I didn't need to be down.<BR />Many thanks for the help.</P> Fri, 17 Sep 2021 13:57:23 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567433#M197745 mcaulsc 2021-09-17T13:57:23Z https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567434#M197746 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225094">@mcaulsc</a>,</P><P>good for you, see nect time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 17 Sep 2021 13:57:24 GMT https://community.splunk.com/t5/Splunk-Search/regex-substr-help/m-p/567434#M197746 gcusello 2021-09-17T13:57:24Z