Archive
Highlighted

How do I extract last two fields of a string separated by a delimiter?

Engager

Hi- I have some strings separated by "." delimiter. For example,
a.b.c.d
x.y.z
p.q.r.s.t.u

I want to be able to extract the last two fields with the delimiter. So, I want my output to be:
c.d
y.z
t.u

Is there a method to perform such action?
Thanks,
MA

Tags (1)
0 Karma
Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

Motivator

How about trying this, let's say your data is in field myField which has strings like w.x.y.z

your query to return events
| eval splitString=split(myField, ".")
| eval count=mvcount(splitString)
| eval requiredString=mvindex( splitString, count-2).".".mvindex(splitString, count-1)
| table requiredString

View solution in original post

Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

Path Finder

This can also work, saves the "eval count=mvcount(splitstring)" clause
| eval splitString=split(myField, ".")
| eval requiredString=mvindex(splitString, -2).".".mvindex(splitString, -1)
| table requiredString

It appears the mvindex list can use negative indices to start from the end of the list.

Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

Engager

Thanks, that works!

0 Karma
Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

SplunkTrust
SplunkTrust

An alternative command (rex). Assuming dot as delimiter. Regex might need updates based on type of values the string between delimiter contains.

your base search | rex field=myField "\.(?<requiredString>\w+\.\w+)$" | table myField requiredString
Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

Path Finder

Building on somesoni2's expression, this would allow for any characters other than the delimiter:

your base search | rex field=myField "\.(?<requiredString>[^.]+\.[^.]+)$" | table myField requiredString
Highlighted

Re: How do I extract last two fields of a string separated by a delimiter?

Engager

Thanks, somesoni2!

0 Karma