Solved: How to match and filter by substr?

jaj · ‎02-18-2014

I have a log where

labelData=123-345

or

lableData=123

How I want to ignore the -345 and just keep the first 3 characters and report on the occurances. The above would count for two occurrences for labelData=123.

I can't seem to figure this out using:

source=*//logs/stdout.log class=myClass | fields labelData | eval newStuff=substr(labelData, 1, 43 | stats count by newStuff |  sort count | reverse

Input Note: labelData could also be 456-789. Basically, i just want to match/substr the first 3 characters.

lukejadamec · ‎02-18-2014

You can try

This will give you the full string in the results, but the results will only include values with the substring.

If you want to create a new field, then use rex.

View solution in original post

aishelm · ‎10-16-2014

This is a different answer inspired by above question and responses.

index="indexname" Type="Error"| eval messageInit=substr(Message, 1, 25)| top limit=20 messageInit

lukejadamec · ‎02-18-2014

You can try

This will give you the full string in the results, but the results will only include values with the substring.

If you want to create a new field, then use rex.

lukejadamec · ‎02-19-2014

For multiple possibilities you would use the OR command for regex, which is the pipe |. For the first three characters only, use the "starts with" symbol, otherwise known as the carrot ^. I'm assuming you mean exactly 456 or 789.

|regex lableData="^456|^789"

To grab just the one that starts with 789, remove the OR.

|regex lableData="^789"

jaj · ‎02-19-2014

QQ: what if the input was 456-789 or 789-012? how could I use a regex to extract the first three characters only?

lukejadamec · ‎02-19-2014

If you have multiple substrings to capture, then you can do that also.

jaj · ‎02-19-2014

thanks again!

How to match and filter by substr?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk