The Splunk Processing Language (SPL for short) provides fantastic commands for analyzing data and creating content from your search results. The language also provides functions to render the outputs of your searches in many ways. There are string manipulation functions that provide ways to manipulate string values inside of a field. Whether you are a newbie or a seasoned pro, string manipulation in Splunk can be challenging. In this article, we will explore using the substr function (step-by-step) and how to use it to perform string manipulation in your SPL searches.
What is the Splunk substr?
The substr it is a string manipulation function. It is used to parse string values inside your event fields. Let us say you have an event with a field called “Address” and it contains a string value of “222 Somewhere St, Washington DC 10234.” If you wanted to just include the house number and street, but exclude the city, state, and zip code, you can do this using the substr function.
What are the benefits of using the Splunk substr?
Benefit#1
Eliminate unnecessary information from your results. This is key when wanting to render only the information that is meaningful.
Benefit#2
Pull out valuable information from a field to use in another part of the search. This becomes key to the overall search execution by allowing you to parse out only the information that is needed for the next command.
How to use the Splunk substr?
The substr function takes three arguments, “str,” a string, start, an integer representing the starting point for parsing, and “length,” which is the length of information to parse out of the whole string. The substr function would be used in a Splunk “eval” statement in the following manner:
…| eval StreetOnly = substr( “222 Somewhere St, Washington DC 10234”, 1, 16)
In this example, the string value is surrounded by quotes. The “1” argument specified the starting position of the first character in string. This can be any value from 1 to the maximum length of the string. The “16” argument specified the number of characters to grab from the start point of the string. This value can be anything from 1 to the maximum string length. The length argument is also optional.
Here is an example of using “substr” to parse values need for the next command in search:
…| eval NumberOnly = substr(“222 Somewhere St, Washington DC 10234”, 1, 3) | stats count by NumberOnly
Conclusion
The substr function is just one of many powerful string manipulation functions that Splunk provides for parsing data. You can use the substr function for tailoring the results from your searches or parse required information from a field to be fed into another command.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
