topic Re: trim out field using replace in Splunk Search

trim out field using replace

brdr — Mon, 30 Apr 2018 19:57:16 GMT

I'm reading from a file that has messages like these:

Action (0x00000173): x.x.x.x; |Performed by user "User 1"
Action (0x00000173): host2.domain.com; |Performed by user "User 2"
Action (0x00000173): host3.CA.domain.com; |Performed by user "User 3"

After the lookup is done I have parsed out the host identifier (as either x.x.x.x, host2.domain.com, host3.CA.domain.com) as field host. Now I need to perform actions. If the host value is an IP address then do nothing. However, if the host value is not an IP address then strip off everything (and including .) after the first period.

I think the replace command will work but not getting it right... I have:

| eval host=if(match(host, "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"), host, replace(host, 'do something here', 'do somethinge here'))

In the end I should I have:
x.x.x.x
host2
host3

Thank you

Re: trim out field using replace

somesoni2 — Mon, 30 Apr 2018 20:11:14 GMT

Give this a try

| eval host=if(match(host, "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"), host, replace(host, "^([^\.]+)\..+","\1"))

Re: trim out field using replace

xpac — Mon, 30 Apr 2018 20:11:49 GMT

Try this:

| makeresults
| eval host="host3.CA.domain.com"
| eval host=if(match(host, "^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"), host, replace(host, "^([^\.]+)\..*$", "\1"))

More explanation here in the docs, explanation of the regex here.

Re: trim out field using replace

brdr — Mon, 30 Apr 2018 20:16:58 GMT

Thanks somesoni2! work perfectly.

Re: trim out field using replace

brdr — Mon, 30 Apr 2018 20:18:27 GMT

thx xpac for responding. the regular expression you provided me resulting in host field blank. I have the right answer now. 🙂