Open the Splunk search bar and type the following command:
index="index_name" sourcetype="sourcetype_name"
Replace index_name with the name of the index that contains the data you want to search.
Replace sourcetype_name with the sourcetype of the data you want to search.
Add the following command to extract the substring:
| eval substring=substr("field_name", start_index, length)
Replace field_name with the name of the field that contains the string you want to extract the substring from.
Replace start_index with the start index of the substring.
Replace length with the length of the substring.
If you want to extract the rest of the string, you can omit the length argument.
Click the Search button to run your search.
The results of your search will be displayed in the Splunk search results table.
The new field substring will contain the extracted substring.
You can now use the substring field in your Splunk searches and dashboards.