Solved: How to extract string before specific character

marinella26 · ‎07-12-2023

Hello. I want to extract strings anything comes before "|" .

Expected result:
Math
Math
English
Science

Below search did not worked.

my search | stats count by Subject="(?<Subject>[^\|]+)"

Please help me out.

gcusello · ‎07-12-2023

Hi @marinella26 ,

you can use:

| rex "^(?<field>[^\|]+)"

that you can test at https://regex101.com/r/6Ynayk/1

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-12-2023

Hi @marinella26 ,

you can use:

| rex "^(?<field>[^\|]+)"

that you can test at https://regex101.com/r/6Ynayk/1

Ciao.

Giuseppe

yuanliu · ‎07-12-2023

Read rex. stats command doesn't have a function to do extraction.

Meanwhile, your sample code suggests that Splunk gives you a field named Subject and you are trying to get some info from this field. If this is the case, there is a slightly more efficient way using split function:

my search
| Subject = mvindex(split(Subject, "|"), 0)
| stats count by Subject

Another way equivalent to rex is to use replace function.

How to extract string before specific character

count

eval

field extraction

regex

rex

stats

tstats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How to extract string before specific character