Solved: How do I extract last numbers in field

dfigurello · ‎02-25-2014

Hello Splunkers,

I Would like to create a new field with the last numbers in another field called logid

For example:

logid = 0101232010

logid = 0101242010
logid = 0101240210

I want create a new field with last 5 numbers, like as:

id= 32010
id= 42010
id= 40210

Could I create a regex for that?

Tks.

reed_kelly · ‎02-25-2014

If I understand correctly, you just want to extract the last 5 characters of a field. Here is an example using the rex command:

|gentimes start=-1 |eval foo="1232134324" |rex field=foo "(?<id>\d{5})$" |table foo,id

returns: foo=1232134324 id=34324

dfigurello · ‎02-26-2014

Thank you Splunkers!

🙂

somesoni2 · ‎02-25-2014

Another options could be using substring.

sourcetype=fortigate subtype=admin pri=warning | stats count by log_id | eval newfield=substr(log_id,len(log_id)-4) | table log_id, newfield

reed_kelly · ‎02-25-2014

If I understand correctly, you just want to extract the last 5 characters of a field. Here is an example using the rex command:

|gentimes start=-1 |eval foo="1232134324" |rex field=foo "(?<id>\d{5})$" |table foo,id

returns: foo=1232134324 id=34324

somesoni2 · ‎02-25-2014

Also, you've kept the name of new field same as old field, use following
...| rex field=log_id "(?\d{5})$" | table log_id,id

MuS · ‎02-25-2014

For a start keep it simple and just try to get the field=value pair like this:

sourcetype=fortigate subtype=admin pri=warning | rex "(?<log_id>\d{5})$" | table log_id

reed_kelly · ‎02-25-2014

The backslash before the "d{5}" didn't get rendered. I have edited my answer to fix that. It should be "\d{5}"

dfigurello · ‎02-25-2014

hi reed.kelly,

I don't get it. I am trying it into my search. Look at my seach:

sourcetype=fortigate subtype=admin pri=warning | stats count by log_id | rex field=log_id "(?d{5})$" | table log_id

Any idea ?

How do I extract last numbers in field