Solved: Re: create new field from substring of another fie...

jedatt01 · ‎12-14-2011

Hi, in a search i'm trying to take my 'source' field, do a substring on it and save it as another field. Here's what I have so far for my search

index="XXY" | eval sourcetable = source

an example of the source field is
"D:\Splunk\bin\scripts\Pscprod.psclassdefn.bat"
I need parse out Pscprod.psclassdefn from the 'source' and save it as another field called 'sourcetable'

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

View solution in original post

ytamura · ‎12-14-2011

Using regular expressions may be a little more flexible if your path keeps changing in length/level:

index="XXY" | rex field=source "(?<sourcetable>[\w.]*).bat"

bme7493 · ‎12-14-2011

Here's an alternate solution:

index="XXY" | eval tablename=substr(source,23) | eval tablename=rtrim(tablename,".bat")

c48571 · ‎05-01-2020

What does the 23 stand for in (source,23)?

bme7493 · ‎12-14-2011

I'm assuming that the the source field is the name of a script that you're running and you're just indexing the results from said script. If that assumption is correct, could you just output the portion that you're looking for as part of the result of the script?

create new field from substring of another field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

create new field from substring of another field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience