Solved: Re: Extract last 3 characters from field

ahogbin · ‎07-06-2016

Hello,

I am trying to extract the last 3 characters from an extracted field. The field is in the format of 122RN00578COM or QN00001576VSD - numbers vary and length may vary over time) and the characters I am trying to extract are COM, VSD etc

I have tried using Substr and whilst this works in the short term any variation in length of field throws it off.
Is there a more robust method that will allow for changes in field length whilst maintaining the extraction of the last 3 characters (these are always letters)?

Thanks in advance for any help or suggestions.

Alastair

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

View solution in original post

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

ahogbin · ‎07-06-2016

Superstar.. thank you so much

JCISplunker · ‎07-22-2019

Why not the simpler with negative index:

substr(x,-3)

Extract last 3 characters from field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms