Splunk Examples: Manipulating Text and Strings

Splunk Examples: Manipulating Text and Strings

Last updated:
Table of Contents

All examples use the tutorial data from Splunk running on a local Splunk version

Field Starts with

Use where with like:

Example: filter rows where field AcctID starts "87":

your-search-criteria
| where AcctID like "87%"

splunk-where-like Just use | where together with like

Field Ends with

Again, just use where with like but the "%" character is now on the left:

Example: filter rows where field AcctID ends in "48":

your-search-criteria
| where AcctID like "%48"

splunk-where-like-right-side Similarly to the previous entry, but now using % on the left

Field contains string

As you would expect, we can also use where with like to match both sides, effectively having a contains behaviour:

Example: filter rows where field AcctID contains the string "94" anywhere:

your-search-criteria
| where AcctID like "%94%"

splunk-where-like-contains-string Blow the dust off your SQL knowledge, you can use it in splunk too!

Substring

Use substr(<field>, <start>, <end>)

Example: Extract the end of the string in field somefield, starting at index 23 (until 99)

your-search-criteria
| eval newfield=substr(somefield, 23, 99)

Substring, split by character

TODO

References

splunk

Archive