Splunk Search

How to extract substring in a string for eval case?

Chandras11
Communicator

Hi All,

I have a field "CATEGORY3," with strings for example:-
Log 1.2 Bundle With 12 INC

Log 1.2 Bundle With 3 INC
Log 1.2 Bundle With 103 INC
Log 1.3 IP
Log 1.3 IP

I just need to extract the number of INCs if the CATEGORY3 contains Bundle Keyword. I tried something like substr(CATEGORY3,19,3), but it won't give a proper answer.
I was trying to look for regex as well, but I really do not know how to rex command inside eval case

index="index1" sourcetype="XXX" | eval NE_COUNT= case(match(CREATOR_SUBJECT,"Bundle"),  , match(CREATOR_SUBJECT,"IP"), 1 )

Thanks in advance

0 Karma
1 Solution

adonio
Ultra Champion

hello there,
try this:
... your search ... | rex field=CATEGORY3 "Bundle With (?P<num_of_inc>\d+) INC"
hope it helps

View solution in original post

adonio
Ultra Champion

hello there,
try this:
... your search ... | rex field=CATEGORY3 "Bundle With (?P<num_of_inc>\d+) INC"
hope it helps

p_gurav
Champion

Hi,

Can you try below rex which only works on event which has Bundle keyword:

| rex field=_raw "Bundle With (?P<inc_count>\d+) INC"

rogerdpack
Path Finder

for followers, in general you extract using substr in an "eval" see https://answers.splunk.com/answers/210683/how-to-use-substr-to-extract-the-first-3-letters-o.html

0 Karma

Chandras11
Communicator

Thanks for the Answer. Its working and I learn a new point here. Just want to point that instead of checking in _raw , we can also use the field name CATEGORY3 for faster exeution.

0 Karma

elliotproebstel
Champion

Hey @p_gurav - I think your code is getting mangled because you forgot to use the 010101 code button. Maybe fix it so the user can test? I think your answer is probably correct!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...