All Apps and Add-ons

Field extraction in a string

retesi
Engager

Hello to all,

how can I make a field extraction from a string:

qwertyuiop

from the third to seventh character..

In order to obtain as a result:

ertyuio

thanks in advance

0 Karma

jpondrom_splunk
Splunk Employee
Splunk Employee

You will need to make an adjustment to fields.conf on the search head.

Setting the INDEXED_VALUE to false should allow you to search on the extracted fields without the wild card.

If one does not exist, you will want to create a fields.conf in $splunkhome/etc/system/local and add the below stanza to it.

[ertyuio or whatever your extraction is named.]
INDEXED_VALUE=false

This should then allow the env=ertyuio search to return results.

Below is a link to the docs page for fields .conf

http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Fieldsconf

This is what we are changing, it is a bit counter intuitive, though ertyuio is in the event, since it is part of a word and does not exist exactly as "ertyuio" we want to set it as false as it does not count as being part of the raw text in the event.

INDEXED_VALUE = [true|false||]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.

Give that a try for me if you can and let me know your result. It works in my test environment.

0 Karma

amit_saxena
Communicator

Hi,

There seems to be typo in your post as you are looking to extract 7 characters starting from character number 3 and not characters between 3rd till 7th characters.

I am referring the same assumption which was mentioned in the post from "kristian.kolb".

Let me know if following works for you or not.

... | rex field=theString "\w{2}(?P<myvar>\w{7})"

Regards,
Amit Saxena

0 Karma

kristian_kolb
Ultra Champion

well, with rex you can do it like so, assuming that the string 'qwertyuiop' is in a field called theString

... | rex field=theString "\w\w(?<result>\w{7})" | 

OR with eval you can do it like this;

... | eval result=substr(theString, 3, 7) | 

Hope that helps,

K

Ayn
Legend

Note that you will not be able to search on this field by default since it doesn't correspond to a unique token in Splunk's index. If that's not a problem, all is fine. 😃

lukejadamec
Super Champion

\w\w(?\w{7}) and the eval will both grab the 3rd to 9th characters.

0 Karma

somesoni2
Revered Legend

Just small correction to rex

"\w\w\w(?\w{7})"

0 Karma