Solved: Extract last 3 characters from field

ahogbin · ‎07-06-2016

Hello,

I am trying to extract the last 3 characters from an extracted field. The field is in the format of 122RN00578COM or QN00001576VSD - numbers vary and length may vary over time) and the characters I am trying to extract are COM, VSD etc

I have tried using Substr and whilst this works in the short term any variation in length of field throws it off.
Is there a more robust method that will allow for changes in field length whilst maintaining the extraction of the last 3 characters (these are always letters)?

Thanks in advance for any help or suggestions.

Alastair

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

View solution in original post

sundareshr · ‎07-06-2016

This should give you last 3,

substr(x, len(x)-2, 3)

The other option would be to use rex

rex field=x "(?<y>\w{3})$"

ahogbin · ‎07-06-2016

Superstar.. thank you so much

JCISplunker · ‎07-22-2019

Why not the simpler with negative index:

substr(x,-3)

Extract last 3 characters from field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Extract last 3 characters from field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem