https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172698#M49506 <P>I have a pattern in my raw field " ..... SPLIT: 11111:22222 ........." which says master id was split to <EM>id1:id2</EM>. But the master id i need is <EM>id1</EM><EM>id2</EM>. Is there a way to do this. I used rex and managed to get <EM>id1:id2</EM>, but couldn't take off the colon. I see extracting to 2 fields and doing 'eval' with '+' is an option, but that looks messy</P> <P>So far, I have |rex "SPLIT: (?\d+:\d+)" ) |<BR /> This gives me masterID=11111:22222. But I need masterID=1111122222</P> Fri, 17 Oct 2014 22:53:05 GMT bharathreddyp 2014-10-17T22:53:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172698#M49506 <P>I have a pattern in my raw field " ..... SPLIT: 11111:22222 ........." which says master id was split to <EM>id1:id2</EM>. But the master id i need is <EM>id1</EM><EM>id2</EM>. Is there a way to do this. I used rex and managed to get <EM>id1:id2</EM>, but couldn't take off the colon. I see extracting to 2 fields and doing 'eval' with '+' is an option, but that looks messy</P> <P>So far, I have |rex "SPLIT: (?\d+:\d+)" ) |<BR /> This gives me masterID=11111:22222. But I need masterID=1111122222</P> Fri, 17 Oct 2014 22:53:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172698#M49506 bharathreddyp 2014-10-17T22:53:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172699#M49507 <P>One option is to set up an <CODE>SEDCMD</CODE> setting in props.conf that removes the colon from your events during index time. That'll work very well and will be simple to work with at search time, but remember that it does alter what is written to your index and that this cannot be done retroactively.</P> <P>A purely search-time option is to extract both sections of the id into two fields and to define a calculated field that appends the two together, or to extract the whole id into one field and to define a calculated field that removes the colon.</P> Fri, 17 Oct 2014 23:50:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172699#M49507 martin_mueller 2014-10-17T23:50:24Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172700#M49508 <P>Another way to use SED would be to pipe to the rex command again.<BR /><BR /> | rex field=MasterID mode=sed "s/://g"</P> Sat, 18 Oct 2014 02:09:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-one-field-combining-different-substrings-of/m-p/172700#M49508 sjaworski 2014-10-18T02:09:27Z