Re: How to extract string after special character

eli_da · ‎07-23-2019

Hello everyone,

I have a simple question about rex, I have not been successful.

I have a string:

"bllablla_toni" 
"bloobloo_jony"

And I am want to extract the string after character "_".
The result will be:

"toni" 
"jony"

Thanks!

eli_da · ‎07-24-2019

,Is work

Thank!

vnravikumar · ‎07-23-2019

Hi @eli_da

Try this simple rex

| makeresults 
| eval str="bllablla_toni,bloobloo_jony" 
| makemv delim="," str 
| rex field=str "\_(?P<result>\w+)" 
| mvexpand result 
| table result

jaime_ramirez · ‎07-23-2019

Hi

The following should do the trick:

[^_]+\_(?<extracted_string>.*)

Applied to rex (just copy and paste into splunk directly):

| makeresults 
| eval events="bllablla_toni bloobloo_jony"
| eval events=split(events, " ")
| mvexpand events
| rename events as strings
| rename COMMENT AS "--- Sample Generated Events Above ---"
| rex field=strings "[^\_]+\_(?<extracted_string>.*)"

Hope it helps

How to extract string after special character

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation