Solved: Separting the string in splunk

mayank101 · ‎07-16-2019

I have various search string under the field name entity:

            Entity

1 GBP:BOOT2NDSUNQTR_MAINT4_lonlx11067
2 GBP:BOOT2NDSUNMONTH_MAINT3_redlxd00130
3 AMP:BOOT2NDSATMONTH_MAINT4_psclxd00034
4 AMP:BOOTALLSUNMONTH_MAINT1_SecProd_DEV_totlxfidevsp126
.
.
.
and so on

I want host name to be extracted such as lonlx11067,totlxfidevsp126 and do on. Could you help me in writing the query for the same I am particularly new to this

nick405060 · ‎07-16-2019

Write your extraction rex.

... | rex field=Entity "_(?<host>[^_]+?)$" | table Entity host

View solution in original post

nick405060 · ‎07-16-2019

Write your extraction rex.

... | rex field=Entity "_(?<host>[^_]+?)$" | table Entity host

mayank101 · ‎07-16-2019

I did not understood what you said.What is extraction rex

nick405060 · ‎07-16-2019

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex

Separting the string in splunk

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Separting the string in splunk

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25