Splunk Search

Function to fetch a part of a field value

Jananee_iNautix
Path Finder

A field called username has values
INPUT:
kesia@abc.bgf.hf:123
gefuf@ef.eff.gre:872
.I want to take the string before the @ symbol alone like
OUTPUT:
kesis
gefuf

How can this be done in splunk and Which function will be apt to this requirement?

Tags (1)
0 Karma

Jananee_iNautix
Path Finder

At search time only.i extracted the field username which has sample values i specified.i want to extract a part of that field value

0 Karma

MuS
Legend

Hi Jananee_iNautix,

based on the provided information, you can use rex to do this in search time like this:

YorFancySearch | rex field=username "\s(?<username>.*)\@" | ....

If you want that field to be extracted at index time, use the this guide

hope this helps ...

cheers, MuS

somesoni2
Revered Legend

small correction here in rex. Field name extracted with @ is username.

your base search..| rex field=username "(?.*)@"

Jananee_iNautix
Path Finder

i don want to extract it like you said.Using functions i want to take kesia alone from the value kesia@abc.bgf.hf:123 named as a field username

0 Karma

hRun
Path Finder

Is the username field a multivalue field or did you just provide two examples for possible values?
And are you referring to an extraction at search time or at indexing time (field extraction)?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...