All Apps and Add-ons

Field extraction in a string


Hello to all,

how can I make a field extraction from a string:


from the third to seventh character..

In order to obtain as a result:


thanks in advance

0 Karma

Splunk Employee
Splunk Employee

You will need to make an adjustment to fields.conf on the search head.

Setting the INDEXED_VALUE to false should allow you to search on the extracted fields without the wild card.

If one does not exist, you will want to create a fields.conf in $splunkhome/etc/system/local and add the below stanza to it.

[ertyuio or whatever your extraction is named.]

This should then allow the env=ertyuio search to return results.

Below is a link to the docs page for fields .conf

This is what we are changing, it is a bit counter intuitive, though ertyuio is in the event, since it is part of a word and does not exist exactly as "ertyuio" we want to set it as false as it does not count as being part of the raw text in the event.

INDEXED_VALUE = [true|false||]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.

Give that a try for me if you can and let me know your result. It works in my test environment.

0 Karma



There seems to be typo in your post as you are looking to extract 7 characters starting from character number 3 and not characters between 3rd till 7th characters.

I am referring the same assumption which was mentioned in the post from "kristian.kolb".

Let me know if following works for you or not.

... | rex field=theString "\w{2}(?P<myvar>\w{7})"

Amit Saxena

0 Karma

Ultra Champion

well, with rex you can do it like so, assuming that the string 'qwertyuiop' is in a field called theString

... | rex field=theString "\w\w(?<result>\w{7})" | 

OR with eval you can do it like this;

... | eval result=substr(theString, 3, 7) | 

Hope that helps,



Note that you will not be able to search on this field by default since it doesn't correspond to a unique token in Splunk's index. If that's not a problem, all is fine. 😃

Super Champion

\w\w(?\w{7}) and the eval will both grab the 3rd to 9th characters.

0 Karma

Revered Legend

Just small correction to rex


0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...