Solved: extracting the first 3 characters from a field?

HattrickNZ · ‎03-19-2015

How do I extract the first 3 characters from a field ?

I thought it might be something like ... | eval First3=substring(fieldname,3)

Anyone know the function or regex that would do this?

cpetterborg · ‎03-19-2015

rex field=fieldname "^(?P<first3>...)”

View solution in original post

inventsekar · ‎10-29-2023

Tested the rex and substr, which works perfect. The abstract giving some troubles, will check it again.
https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Abstract

|makeresults 
| eval samplelog="h1 #_\"he$$llohibye"
| rex field=samplelog "^(?P<EightCharsRex>........)" 
| eval EightCharsSubStr=substr(samplelog,1,8)
```| abstract maxterms=9 maxlines=1```
| table samplelog EightCharsRex EightCharsSubStr

this produces this result:

samplelog	        EightCharsRex	EightCharsSubStr
h1 #_"he$$llohibye	h1 #_"he	h1 #_"he

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

shahrukhvp · ‎10-29-2023

I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command.

Usage: substr(<str>,<start>,<length>)

In your case:
| eval n=substr("your_string", 1, 3)

gbower333 · ‎12-12-2017

Interesting note , I used 3 methods to get characters and deal with several lines in my data:

| abstract maxterms=24 maxlines=1
-I wanted to only see the first line but this pulled 24 characters into one line. Not too bad though.

| rex "^(?.{24})"
-Did not match the new line, returned nothing if first line was shorter than 24 characters.

| eval TIME=substr(_raw,1,24)
-Going to use this one.

Using this to look at TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD, and TIME_FORMAT settings in bulk.

chimell · ‎03-20-2015

hi HattrickNZ

If you already have the field that you want to extract their 3 first characters try to use this

    ....... | eval First3=substr(fieldname,1,3)

For example with access_combined sourcetype you can extract the 3 first characters of clientip field and use it to count the number of events by cli3 like this

 sourcetype=access_* | eval cli3=substr(clientip , 1 ,3) |stats count by cli3

vincenteous · ‎03-19-2015

Hi Hattrick,

To achieve this, you can use either "rex" or "substr" function. For example:

You have a field called "name" and the value is "Mario"

Using rex:

... | rex field=name "(?P<subname>\w{3}).*"

Using substr:

... | eval subname=substr(name,1,3)

Both should produce "Mar"

Reference: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

cpetterborg · ‎03-20-2015

Your rex will only catch the first three word characters. If there is punctuation, it will move on until it finds word characters, which may not be the first three characters. If the field contains "a-bc-def" then your rex would match "def" not "a-b".

vincenteous · ‎03-20-2015

Right, missed that one. Thank for the notice

cpetterborg · ‎03-19-2015

rex field=fieldname "^(?P<first3>...)”

HattrickNZ · ‎03-22-2015

tks, perfect

extracting the first 3 characters from a field?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)