Solved: Get just 7 characters of field to search

dlcrooks · ‎01-23-2018

I have a userID with 9 characters and want to search a lookup with just 7 characters. I have tried to use RegEx but it just searches that many characters instead of assigning it to the field. Any ideas?

493669 · ‎01-23-2018

Try:

 <base search>|eval userID =substr(userID,1,7)

Hope this helps!

View solution in original post

mayurr98 · ‎01-24-2018

you can do this using rex as well

Try this run anywhere search

| makeresults 
| eval userID="dlcrooks mayurjadhav splunkninja dlcrook123 dl123crooks" 
| makemv userID 
| mvexpand userID 
| rex field=userID "(?<userID>\w{7})"

In your environment, you should write

index=<your_index> 
| rex field=userID "(?<userID>\w{7})"

let me know if this helps!

493669 · ‎01-23-2018

Try:

 <base search>|eval userID =substr(userID,1,7)

Hope this helps!

dlcrooks · ‎01-23-2018

Thanks! It works!

493669 · ‎02-07-2018

@dlcrooks, please accept answer so that it will no longer open

Get just 7 characters of field to search

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Get just 7 characters of field to search

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine