topic Re: The "ltrim" problem in Splunk Search

The "ltrim" problem

sajalbansal2 — Thu, 30 Jun 2022 13:26:23 GMT

Hi Everyone,

There's a small problem I'm having while using the ltrim function.

Query:

| makeresults | eval username="dev_vishal" | eval trimName=ltrim(username,"dev_") | table username trimName

Output:
username = dev_vishal
trimName = ishal

What I really want is to trim the "dev_" out of "dev_vishal". I noticed that this works well with any other username which does not start with a "v". For example:

Query:

| makeresults | eval username="dev_sajal" | eval trimName=ltrim(username,"dev_") | table username trimName

Output:
username = dev_sajal
trimName = sajal

Request the Splunk community to please help me with this.

Thanks,
Sajal

Re: The "ltrim" problem

ITWhisperer — Sat, 18 Jun 2022 06:19:54 GMT

ltrim() is removing any of those characters from the left - you would have the same issue with ltrim("e_vd",...) or with "dev_david". Try this instead

| rex field=username "^dev_(?<trimName>.*)"

Re: The "ltrim" problem

sajalbansal2 — Thu, 30 Jun 2022 12:46:24 GMT

@ITWhisperer , many thanks for providing a quick solution. Apologies for my late reply.

What I used to solve the problem was slightly different but definitely lengthy (in terms of functions, commands used). See below example for my solution:

| makeresults
| eval username="dev_vishal"
| eval devFlag=if(match(username,".*dev_*."),1,0), tempName=split(username,"_")
| eval newUsername = if(devFlag=1,mvindex(tempName,1),username)
| table username newUsername

Output:
username = dev_vishal
newUsername = vishal

Problem is, now I'm receiving some logs where usernames are a bit different such as, USER_sajal, temp_sajal etc. So to handle that, I would use your suggestion above i.e the "rex" command. See below example:

| eval username="dev_vishal"
| rex field=username "\w+_(?<newUsername>.*)"

In this way it would work for all kinds of usernames. Be it dev_vishal, USER_sajal or temp_sajal etc.

Thanks,
Sajal