https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230502#M68330 <P>I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.<BR /><BR /> One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"<BR /> That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"</P> <P>I have tried</P> <PRE><CODE>|tstats count FROM datamodel=Authentication WHERE Authentication.user="&lt;user&gt;" Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src </CODE></PRE> <P>for which I end up with an empty field called src</P> <P>and (longshot)</P> <PRE><CODE>|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by ltrim(Authentication.src,"::ffff:") </CODE></PRE> <P>which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'</P> <P>if it matters, here is the larger query</P> <PRE><CODE>sourcetype=DhcpSrvLog "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search] | table time dest dest_ip </CODE></PRE> Mon, 16 Jan 2017 17:25:55 GMT MonkeyK 2017-01-16T17:25:55Z https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230502#M68330 <P>I am trying to get all DHCP records for machines on which an authentication attempt was made for a user. I am doing this with a subsearch on the Authentication datamodel for the authentication sources.<BR /><BR /> One thing that I noticed is that sometimes my authentication info has the machine name, while other times it has the IP Address source, but prepended with "::ffff:"<BR /> That extra bit at the front makes the source unfindable in DHCP logs. Is there a way for my tstats result to remove the "::ffff:"</P> <P>I have tried</P> <PRE><CODE>|tstats count FROM datamodel=Authentication WHERE Authentication.user="&lt;user&gt;" Authentication.action="failure" by Authentication.src | eval src=ltrim(Authentication.src,"::ffff:") | fields src </CODE></PRE> <P>for which I end up with an empty field called src</P> <P>and (longshot)</P> <PRE><CODE>|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by ltrim(Authentication.src,"::ffff:") </CODE></PRE> <P>which give me the error Error in 'tstats' command: Invalid argument: '::ffff:)'</P> <P>if it matters, here is the larger query</P> <PRE><CODE>sourcetype=DhcpSrvLog "DNS Update Successful" [|tstats count FROM datamodel=Authentication WHERE Authentication.user="userName" Authentication.action="failure" by Authentication.src | rename Authentication.src as search] | table time dest dest_ip </CODE></PRE> Mon, 16 Jan 2017 17:25:55 GMT https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230502#M68330 MonkeyK 2017-01-16T17:25:55Z https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230503#M68331 <P>Try this</P> <PRE><CODE>|tstats count FROM datamodel=Authentication WHERE Authentication.user="&lt;user&gt;" Authentication.action="failure" by Authentication.src | eval src=replace('Authentication.src',"::ffff:","") | fields src </CODE></PRE> Mon, 16 Jan 2017 17:29:43 GMT https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230503#M68331 somesoni2 2017-01-16T17:29:43Z https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230504#M68332 <P>Perfect. that does it! I guess that I need the field name in single quotes. Did not realize that.</P> Mon, 16 Jan 2017 22:14:10 GMT https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230504#M68332 MonkeyK 2017-01-16T22:14:10Z https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230505#M68333 <P>Yes, for field names which contains special characters like colon, dot, space etc (underscore is fine).</P> Mon, 16 Jan 2017 22:29:34 GMT https://community.splunk.com/t5/Splunk-Search/how-do-I-manipulate-string-data-in-tstats-results/m-p/230505#M68333 somesoni2 2017-01-16T22:29:34Z