How to extract string after special character

eli_da · ‎07-23-2019

Hello everyone,

I have a simple question about rex, I have not been successful.

I have a string:

"bllablla_toni" 
"bloobloo_jony"

And I am want to extract the string after character "_".
The result will be:

"toni" 
"jony"

Thanks!

eli_da · ‎07-24-2019

,Is work

Thank!

vnravikumar · ‎07-23-2019

Hi @eli_da

Try this simple rex

| makeresults 
| eval str="bllablla_toni,bloobloo_jony" 
| makemv delim="," str 
| rex field=str "\_(?P<result>\w+)" 
| mvexpand result 
| table result

jaime_ramirez · ‎07-23-2019

Hi

The following should do the trick:

[^_]+\_(?<extracted_string>.*)

Applied to rex (just copy and paste into splunk directly):

| makeresults 
| eval events="bllablla_toni bloobloo_jony"
| eval events=split(events, " ")
| mvexpand events
| rename events as strings
| rename COMMENT AS "--- Sample Generated Events Above ---"
| rex field=strings "[^\_]+\_(?<extracted_string>.*)"

Hope it helps

How to extract string after special character

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...