Solved: How to extract substring in a string for eval case...

Chandras11 · ‎04-13-2018

Hi All,

I have a field "CATEGORY3," with strings for example:-
Log 1.2 Bundle With 12 INC

Log 1.2 Bundle With 3 INC
Log 1.2 Bundle With 103 INC
Log 1.3 IP
Log 1.3 IP

I just need to extract the number of INCs if the CATEGORY3 contains Bundle Keyword. I tried something like substr(CATEGORY3,19,3), but it won't give a proper answer.
I was trying to look for regex as well, but I really do not know how to rex command inside eval case

index="index1" sourcetype="XXX" | eval NE_COUNT= case(match(CREATOR_SUBJECT,"Bundle"),  , match(CREATOR_SUBJECT,"IP"), 1 )

Thanks in advance

adonio · ‎04-13-2018

hello there,
try this:
... your search ... | rex field=CATEGORY3 "Bundle With (?P<num_of_inc>\d+) INC"
hope it helps

View solution in original post

adonio · ‎04-13-2018

hello there,
try this:
... your search ... | rex field=CATEGORY3 "Bundle With (?P<num_of_inc>\d+) INC"
hope it helps

p_gurav · ‎04-13-2018

Hi,

Can you try below rex which only works on event which has Bundle keyword:

| rex field=_raw "Bundle With (?P<inc_count>\d+) INC"

rogerdpack · ‎11-22-2019

for followers, in general you extract using substr in an "eval" see https://answers.splunk.com/answers/210683/how-to-use-substr-to-extract-the-first-3-letters-o.html

Chandras11 · ‎04-13-2018

Thanks for the Answer. Its working and I learn a new point here. Just want to point that instead of checking in _raw , we can also use the field name CATEGORY3 for faster exeution.

elliotproebstel · ‎04-13-2018

Hey @p_gurav - I think your code is getting mangled because you forgot to use the 010101 code button. Maybe fix it so the user can test? I think your answer is probably correct!

How to extract substring in a string for eval case?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes