topic Re: extracting the first 3 characters from a field? in Splunk Search

extracting the first 3 characters from a field?

HattrickNZ — Fri, 20 Mar 2015 02:52:47 GMT

How do I extract the first 3 characters from a field ?

I thought it might be something like ... | eval First3=substring(fieldname,3)

Anyone know the function or regex that would do this?

Re: extracting the first 3 characters from a field?

cpetterborg — Fri, 20 Mar 2015 02:58:44 GMT

rex field=fieldname "^(?P<first3>...)”

Re: extracting the first 3 characters from a field?

vincenteous — Fri, 20 Mar 2015 05:40:15 GMT

Hi Hattrick,

To achieve this, you can use either "rex" or "substr" function. For example:

You have a field called "name" and the value is "Mario"

Using rex:

... | rex field=name "(?P<subname>\w{3}).*"

Using substr:

... | eval subname=substr(name,1,3)

Both should produce "Mar"

Reference: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

Re: extracting the first 3 characters from a field?

chimell — Fri, 20 Mar 2015 08:08:11 GMT

hi HattrickNZ

If you already have the field that you want to extract their 3 first characters try to use this

    ....... | eval First3=substr(fieldname,1,3)

For example with access_combined sourcetype you can extract the 3 first characters of clientip field and use it to count the number of events by cli3 like this

 sourcetype=access_* | eval cli3=substr(clientip , 1 ,3) |stats count by cli3

Re: extracting the first 3 characters from a field?

cpetterborg — Fri, 20 Mar 2015 15:54:46 GMT

Your rex will only catch the first three word characters. If there is punctuation, it will move on until it finds word characters, which may not be the first three characters. If the field contains "a-bc-def" then your rex would match "def" not "a-b".

Re: extracting the first 3 characters from a field?

vincenteous — Fri, 20 Mar 2015 16:29:23 GMT

Right, missed that one. Thank for the notice

Re: extracting the first 3 characters from a field?

HattrickNZ — Mon, 23 Mar 2015 02:29:04 GMT

tks, perfect

Re: extracting the first 3 characters from a field?

gbower333 — Tue, 29 Sep 2020 17:16:36 GMT

Interesting note , I used 3 methods to get characters and deal with several lines in my data:

| abstract maxterms=24 maxlines=1
-I wanted to only see the first line but this pulled 24 characters into one line. Not too bad though.

| rex "^(?.{24})"
-Did not match the new line, returned nothing if first line was shorter than 24 characters.

| eval TIME=substr(_raw,1,24)
-Going to use this one.

Using this to look at TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, and TIME_FORMAT settings in bulk.

Re: extracting the first 3 characters from a field?

shahrukhvp — Sun, 29 Oct 2023 12:16:10 GMT

I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command.

Usage: substr(<str>,<start>,<length>)

In your case:
| eval n=substr("your_string", 1, 3)

Re: extracting the first 3 characters from a field?

inventsekar — Mon, 30 Oct 2023 01:38:43 GMT

Tested the rex and substr, which works perfect. The abstract giving some troubles, will check it again.
https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Abstract

this produces this result:

samplelog EightCharsRex EightCharsSubStr h1 #_"he$$llohibye h1 #_"he h1 #_"he