Splunk Search

extracting the first 3 characters from a field?

HattrickNZ
Motivator

How do I extract the first 3 characters from a field ?

I thought it might be something like ... | eval First3=substring(fieldname,3)

Anyone know the function or regex that would do this?

1 Solution

cpetterborg
SplunkTrust
SplunkTrust
rex field=fieldname "^(?P<first3>...)”

View solution in original post

gbower333
Path Finder

Interesting note , I used 3 methods to get characters and deal with several lines in my data:

| abstract maxterms=24 maxlines=1
-I wanted to only see the first line but this pulled 24 characters into one line. Not too bad though.

| rex "^(?.{24})"
-Did not match the new line, returned nothing if first line was shorter than 24 characters.

| eval TIME=substr(_raw,1,24)
-Going to use this one.

Using this to look at TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, and TIME_FORMAT settings in bulk.

0 Karma

chimell
Motivator

hi HattrickNZ

If you already have the field that you want to extract their 3 first characters try to use this

    ....... | eval First3=substr(fieldname,1,3) 

For example with access_combined sourcetype you can extract the 3 first characters of clientip field and use it to count the number of events by cli3 like this

 sourcetype=access_* | eval cli3=substr(clientip , 1 ,3) |stats count by cli3

vincenteous
Communicator

Hi Hattrick,

To achieve this, you can use either "rex" or "substr" function. For example:

You have a field called "name" and the value is "Mario"

Using rex:

... | rex field=name "(?P<subname>\w{3}).*"

Using substr:

... | eval subname=substr(name,1,3)

Both should produce "Mar"

Reference: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

cpetterborg
SplunkTrust
SplunkTrust

Your rex will only catch the first three word characters. If there is punctuation, it will move on until it finds word characters, which may not be the first three characters. If the field contains "a-bc-def" then your rex would match "def" not "a-b".

vincenteous
Communicator

Right, missed that one. Thank for the notice

0 Karma

cpetterborg
SplunkTrust
SplunkTrust
rex field=fieldname "^(?P<first3>...)”

View solution in original post

HattrickNZ
Motivator

tks, perfect

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!