Splunk Search

Extract last 3 characters from field

ahogbin
Communicator

Hello,

I am trying to extract the last 3 characters from an extracted field. The field is in the format of 122RN00578COM or QN00001576VSD - numbers vary and length may vary over time) and the characters I am trying to extract are COM, VSD etc

I have tried using Substr and whilst this works in the short term any variation in length of field throws it off.
Is there a more robust method that will allow for changes in field length whilst maintaining the extraction of the last 3 characters (these are always letters)?

Thanks in advance for any help or suggestions.

Alastair

0 Karma
1 Solution

sundareshr
Legend

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$" 

View solution in original post

sundareshr
Legend

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$" 

ahogbin
Communicator

Superstar.. thank you so much

0 Karma

JCISplunker
Explorer

Why not the simpler with negative index:

substr(x,-3)
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...