All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extraction in a string

retesi
Engager
‎11-12-2013 08:12 AM

Hello to all,

how can I make a field extraction from a string:

qwertyuiop

from the third to seventh character..

In order to obtain as a result:

ertyuio

thanks in advance

0 Karma
Reply

jpondrom_splunk
Splunk Employee
Splunk Employee
‎10-24-2017 07:27 AM

You will need to make an adjustment to fields.conf on the search head.

Setting the INDEXED_VALUE to false should allow you to search on the extracted fields without the wild card.

If one does not exist, you will want to create a fields.conf in $splunkhome/etc/system/local and add the below stanza to it.

[ertyuio or whatever your extraction is named.]
INDEXED_VALUE=false

This should then allow the env=ertyuio search to return results.

Below is a link to the docs page for fields .conf

http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Fieldsconf

This is what we are changing, it is a bit counter intuitive, though ertyuio is in the event, since it is part of a word and does not exist exactly as "ertyuio" we want to set it as false as it does not count as being part of the raw text in the event.

INDEXED_VALUE = [true|false||]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.

Give that a try for me if you can and let me know your result. It works in my test environment.

0 Karma
Reply

amit_saxena
Communicator
‎11-12-2013 08:54 AM

Hi,

There seems to be typo in your post as you are looking to extract 7 characters starting from character number 3 and not characters between 3rd till 7th characters.

I am referring the same assumption which was mentioned in the post from "kristian.kolb".

Let me know if following works for you or not.

... | rex field=theString "\w{2}(?P<myvar>\w{7})"

Regards,
Amit Saxena

0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-12-2013 08:19 AM

well, with rex you can do it like so, assuming that the string 'qwertyuiop' is in a field called theString

... | rex field=theString "\w\w(?<result>\w{7})" |

OR with eval you can do it like this;

... | eval result=substr(theString, 3, 7) |

Hope that helps,

K

Reply

Ayn
Legend
‎11-12-2013 09:06 AM

Note that you will not be able to search on this field by default since it doesn't correspond to a unique token in Splunk's index. If that's not a problem, all is fine. 😃

Reply

lukejadamec
Super Champion
‎11-12-2013 08:59 AM

\w\w(?\w{7}) and the eval will both grab the 3rd to 9th characters.

0 Karma
Reply

somesoni2
Revered Legend
‎11-12-2013 08:28 AM

Just small correction to rex

"\w\w\w(?\w{7})"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...