Hello to all,
how can I make a field extraction from a string:
qwertyuiop
from the third to seventh character..
In order to obtain as a result:
ertyuio
thanks in advance
You will need to make an adjustment to fields.conf on the search head.
Setting the INDEXED_VALUE to false should allow you to search on the extracted fields without the wild card.
If one does not exist, you will want to create a fields.conf in $splunkhome/etc/system/local and add the below stanza to it.
[ertyuio or whatever your extraction is named.]
INDEXED_VALUE=false
This should then allow the env=ertyuio search to return results.
Below is a link to the docs page for fields .conf
http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Fieldsconf
This is what we are changing, it is a bit counter intuitive, though ertyuio is in the event, since it is part of a word and does not exist exactly as "ertyuio" we want to set it as false as it does not count as being part of the raw text in the event.
INDEXED_VALUE = [true|false||]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.
Give that a try for me if you can and let me know your result. It works in my test environment.
Hi,
There seems to be typo in your post as you are looking to extract 7 characters starting from character number 3 and not characters between 3rd till 7th characters.
I am referring the same assumption which was mentioned in the post from "kristian.kolb".
Let me know if following works for you or not.
... | rex field=theString "\w{2}(?P<myvar>\w{7})"
Regards,
Amit Saxena
well, with rex
you can do it like so, assuming that the string 'qwertyuiop' is in a field called theString
... | rex field=theString "\w\w(?<result>\w{7})" |
OR with eval
you can do it like this;
... | eval result=substr(theString, 3, 7) |
Hope that helps,
K
Note that you will not be able to search on this field by default since it doesn't correspond to a unique token in Splunk's index. If that's not a problem, all is fine. 😃
\w\w(?
Just small correction to rex
"\w\w\w(?