https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335408#M99637 <P>hello there,<BR /> try this:<BR /> <CODE>... your search ... | rex field=CATEGORY3 "Bundle With (?P&lt;num_of_inc&gt;\d+) INC"</CODE><BR /> hope it helps</P> Fri, 13 Apr 2018 13:53:17 GMT adonio 2018-04-13T13:53:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335405#M99634 <P>Hi All,</P> <P>I have a field "CATEGORY3," with strings for example:- <BR /> Log 1.2 Bundle With 12 INC<BR /><BR /> Log 1.2 Bundle With 3 INC <BR /> Log 1.2 Bundle With 103 INC<BR /> Log 1.3 IP<BR /> Log 1.3 IP</P> <P>I just need to extract the number of INCs if the CATEGORY3 contains Bundle Keyword. I tried something like substr(CATEGORY3,19,3), but it won't give a proper answer.<BR /> I was trying to look for regex as well, but I really do not know how to rex command inside eval case </P> <PRE><CODE>index="index1" sourcetype="XXX" | eval NE_COUNT= case(match(CREATOR_SUBJECT,"Bundle"), , match(CREATOR_SUBJECT,"IP"), 1 ) </CODE></PRE> <P>Thanks in advance</P> Fri, 13 Apr 2018 11:08:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335405#M99634 Chandras11 2018-04-13T11:08:45Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335406#M99635 <P>Hi,</P> <P>Can you try below rex which only works on event which has Bundle keyword:</P> <PRE><CODE>| rex field=_raw "Bundle With (?P&lt;inc_count&gt;\d+) INC" </CODE></PRE> Fri, 13 Apr 2018 12:27:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335406#M99635 p_gurav 2018-04-13T12:27:59Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335407#M99636 <P>Hey @p_gurav - I think your code is getting mangled because you forgot to use the <CODE>010101</CODE> code button. Maybe fix it so the user can test? I think your answer is probably correct!</P> Fri, 13 Apr 2018 12:56:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335407#M99636 elliotproebstel 2018-04-13T12:56:57Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335408#M99637 <P>hello there,<BR /> try this:<BR /> <CODE>... your search ... | rex field=CATEGORY3 "Bundle With (?P&lt;num_of_inc&gt;\d+) INC"</CODE><BR /> hope it helps</P> Fri, 13 Apr 2018 13:53:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335408#M99637 adonio 2018-04-13T13:53:17Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335409#M99638 <P>Thanks for the Answer. Its working and I learn a new point here. Just want to point that instead of checking in _raw , we can also use the field name CATEGORY3 for faster exeution. </P> Fri, 13 Apr 2018 14:29:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335409#M99638 Chandras11 2018-04-13T14:29:40Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335410#M99639 <P>for followers, in general you extract using substr in an "eval" see <A href="https://answers.splunk.com/answers/210683/how-to-use-substr-to-extract-the-first-3-letters-o.html">https://answers.splunk.com/answers/210683/how-to-use-substr-to-extract-the-first-3-letters-o.html</A></P> Fri, 22 Nov 2019 21:05:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-substring-in-a-string-for-eval-case/m-p/335410#M99639 rogerdpack 2019-11-22T21:05:52Z