Solved: How to make substring using rex

splunkkid · ‎09-14-2020

Hello,

I am currently confront some problem here.

I want to substring data in specific column using rex.

The column's data looks like below(All same or similar style).

"****-****-**POD4-***"

In above case, all I need is the number after the word POD. ( * means some alphabets)

Any ideas?

Thank you.

thambisetty · ‎09-14-2020

replace <choosefield> with field name from which you want to extract number after word POD. number will be extracted to new field called "podnumber"

| rex field=<choosefield> "POD(?<podnumber>\d+)"

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎09-14-2020

replace <choosefield> with field name from which you want to extract number after word POD. number will be extracted to new field called "podnumber"

| rex field=<choosefield> "POD(?<podnumber>\d+)"

————————————
If this helps, give a like below.

splunkkid · ‎09-14-2020

@thambisetty

Thanks! This worked exactly how I want.

ITWhisperer · ‎09-14-2020

| rex field=column "POD(?<number>\d+)\-"

where column is the field name your data is in.

Is it always POD? If not, is it always ****-****-**POD4-*** 4 letters "-" 4 letters "-" 2 letters 3 characters number (at least 1 digit) "-" 3 letters?

splunkkid · ‎09-14-2020

@ITWhisperer

First, Thanks for your answer.

And I tried like below

MYSEARCH | rex field=pod "pod(?<number>\d+)" | sort podnumber | table pod podnumber

Erased the part "\-" because that makes no results, although i don't know why.

And * part could be different by row, so it doesn't really helpful I guess.

How to make substring using rex

rex

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM