Solved: Re: create new field from substring of another fie...

jedatt01 · ‎12-14-2011

Hi, in a search i'm trying to take my 'source' field, do a substring on it and save it as another field. Here's what I have so far for my search

index="XXY" | eval sourcetable = source

an example of the source field is
"D:\Splunk\bin\scripts\Pscprod.psclassdefn.bat"
I need parse out Pscprod.psclassdefn from the 'source' and save it as another field called 'sourcetable'

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

View solution in original post

ytamura · ‎12-14-2011

Using regular expressions may be a little more flexible if your path keeps changing in length/level:

index="XXY" | rex field=source "(?<sourcetable>[\w.]*).bat"

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

c48571 · ‎05-01-2020

What does the 23 stand for in (source,23)?

bme7493 · ‎12-14-2011

I'm assuming that the the source field is the name of a script that you're running and you're just indexing the results from said script. If that assumption is correct, could you just output the portion that you're looking for as part of the result of the script?

create new field from substring of another field

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

create new field from substring of another field

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?