Solved: Extract last 3 characters from field

ahogbin · ‎07-06-2016

Hello,

I am trying to extract the last 3 characters from an extracted field. The field is in the format of 122RN00578COM or QN00001576VSD - numbers vary and length may vary over time) and the characters I am trying to extract are COM, VSD etc

I have tried using Substr and whilst this works in the short term any variation in length of field throws it off.
Is there a more robust method that will allow for changes in field length whilst maintaining the extraction of the last 3 characters (these are always letters)?

Thanks in advance for any help or suggestions.

Alastair

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

View solution in original post

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

ahogbin · ‎07-06-2016

Superstar.. thank you so much

JCISplunker · ‎07-22-2019

Why not the simpler with negative index:

substr(x,-3)

Extract last 3 characters from field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation