Function to fetch a part of a field value

Jananee_iNautix · ‎01-28-2014

A field called username has values
INPUT:
kesia@abc.bgf.hf:123
gefuf@ef.eff.gre:872
.I want to take the string before the @ symbol alone like
OUTPUT:
kesis
gefuf

How can this be done in splunk and Which function will be apt to this requirement?

Jananee_iNautix · ‎01-29-2014

At search time only.i extracted the field username which has sample values i specified.i want to extract a part of that field value

MuS · ‎01-28-2014

Hi Jananee_iNautix,

based on the provided information, you can use rex to do this in search time like this:

YorFancySearch | rex field=username "\s(?<username>.*)\@" | ....

If you want that field to be extracted at index time, use the this guide

hope this helps ...

cheers, MuS

somesoni2 · ‎01-29-2014

small correction here in rex. Field name extracted with @ is username.

your base search..| rex field=username "(?.*)@"

Jananee_iNautix · ‎01-29-2014

i don want to extract it like you said.Using functions i want to take kesia alone from the value kesia@abc.bgf.hf:123 named as a field username

hRun · ‎01-28-2014

Is the username field a multivalue field or did you just provide two examples for possible values?
And are you referring to an extraction at search time or at indexing time (field extraction)?

Function to fetch a part of a field value

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk