Solved: Re: create new field from substring of another fie...

jedatt01 · ‎12-14-2011

Hi, in a search i'm trying to take my 'source' field, do a substring on it and save it as another field. Here's what I have so far for my search

index="XXY" | eval sourcetable = source

an example of the source field is
"D:\Splunk\bin\scripts\Pscprod.psclassdefn.bat"
I need parse out Pscprod.psclassdefn from the 'source' and save it as another field called 'sourcetable'

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

View solution in original post

ytamura · ‎12-14-2011

Using regular expressions may be a little more flexible if your path keeps changing in length/level:

index="XXY" | rex field=source "(?<sourcetable>[\w.]*).bat"

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

c48571 · ‎05-01-2020

What does the 23 stand for in (source,23)?

bme7493 · ‎12-14-2011

I'm assuming that the the source field is the name of a script that you're running and you're just indexing the results from said script. If that assumption is correct, could you just output the portion that you're looking for as part of the result of the script?

create new field from substring of another field

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

create new field from substring of another field

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...