Splunk Search

How do I extract last numbers in field

dfigurello
Communicator

Hello Splunkers,

I Would like to create a new field with the last numbers in another field called logid

For example:

logid = 0101232010

logid = 0101242010
logid = 0101240210

I want create a new field with last 5 numbers, like as:

id= 32010
id= 42010
id= 40210

Could I create a regex for that?

Tks.

0 Karma
1 Solution

reed_kelly
Contributor

If I understand correctly, you just want to extract the last 5 characters of a field. Here is an example using the rex command:

|gentimes start=-1 |eval foo="1232134324" |rex field=foo "(?<id>\d{5})$" |table foo,id

returns: foo=1232134324 id=34324

View solution in original post

dfigurello
Communicator

Thank you Splunkers!

🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Another options could be using substring.

sourcetype=fortigate subtype=admin pri=warning | stats count by log_id | eval newfield=substr(log_id,len(log_id)-4) | table log_id, newfield

reed_kelly
Contributor

If I understand correctly, you just want to extract the last 5 characters of a field. Here is an example using the rex command:

|gentimes start=-1 |eval foo="1232134324" |rex field=foo "(?<id>\d{5})$" |table foo,id

returns: foo=1232134324 id=34324

somesoni2
SplunkTrust
SplunkTrust

Also, you've kept the name of new field same as old field, use following
...| rex field=log_id "(?\d{5})$" | table log_id,id

0 Karma

MuS
SplunkTrust
SplunkTrust

For a start keep it simple and just try to get the field=value pair like this:

sourcetype=fortigate subtype=admin pri=warning | rex "(?<log_id>\d{5})$" | table log_id

0 Karma

reed_kelly
Contributor

The backslash before the "d{5}" didn't get rendered. I have edited my answer to fix that. It should be "\d{5}"

0 Karma

dfigurello
Communicator

hi reed.kelly,

I don't get it. I am trying it into my search. Look at my seach:

sourcetype=fortigate subtype=admin pri=warning | stats count by log_id | rex field=log_id "(?d{5})$" | table log_id

Any idea ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...