Splunk Search

How to use eval or other method in calculated fields to extract values into a new field?

reach2tushar
Explorer

Hi,

I am thinking of using the Calculated Fields option to extract one field.
I have following values in a field name "YOURFIELD"
Test_X
TestA_Y
TestBC_Z_all
I want to extract the characters before "_" in a new field "MYFIELD". The result will be:
Test
TestA
TestBC

Can please help me to extract this result in calculated fields using an EVAL function or any other method?

Tags (4)
0 Karma

Ayn
Legend
... | rex field=YOURFIELD "(?<MYFIELD>.+?)_"

Ayn
Legend

Yes, you can.

0 Karma

reach2tushar
Explorer

Thanks for the reply Ayn. Can we use RegEx in Calculated fields?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...