Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the last underscore part of a field?

Splunkster45
Communicator
‎05-09-2018 06:42 AM

I have a value a_b_c. How do I extract the last '_' item. So in this case it'd be 'c'. The number of of underscores in the field can change. I need the last one.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 06:49 AM

Try this:

| makeresults
| eval oldfield="adsfesaf_sfdasdf_sdfsadf_243rfsa"
| rex field=oldfield "_(?<newfield>[^_]+)$"

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 06:49 AM

Try this:

| makeresults
| eval oldfield="adsfesaf_sfdasdf_sdfsadf_243rfsa"
| rex field=oldfield "_(?<newfield>[^_]+)$"

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Solved! Jump to solution

Splunkster45
Communicator
‎05-09-2018 07:05 AM

Works like a charm. Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...