Solved: how to show a substr

dan_pudwell · ‎04-01-2016

I am doing a substr and want to see that in a table, however it just gives no results

baseSearch | eval id = substr(detail.id,2,7)| table id

I would expect to see a table of id's that have been substringed, however I get no results found?

javiergn · ‎04-01-2016

Try with quotes:

baseSearch | eval id = substr("detail.id",2,7)| table id

View solution in original post

javiergn · ‎04-01-2016

Try with quotes:

baseSearch | eval id = substr("detail.id",2,7)| table id

dan_pudwell · ‎04-01-2016

I just figured this out and went to add my own answer!
single quotes work as well

sumeet20rani · ‎03-20-2019

Hi,
I have DB field which has value like -
DB = arn:aws:rds:eu-west-1:354706231380:db:we1abcdeslfwtya
I want to print we1abcdeslfwtya
And below is my query -
| rename results{}.total_amortized_cost as Total_amor , results{}.resource_identifier as DB | eval n=substr(DB,15) | table DB , n
However, I get the n column in table as blank. I dont know whats wrong happening here. I tried with double quotes ( " ) and single quotes ( ' ) both for DB and it doesn't work. Like substr("DB",15)
Can someone help please.
Thanks in advance
Regards,
Sumeet

woodcock · ‎04-01-2016

So will dollar-signs.

how to show a substr

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation