topic Re: Help with trimming characters in Splunk Search

Help with trimming characters

TheJagoff — Tue, 26 Jan 2016 23:40:57 GMT

Hi,

Having some issues here. I have the following values in a field named populace
The values are encased in a < and > (I tried to show it in the thread but it won't)

I need it to look like this:
15
12
4
0
...

I need to just get the numeric values out of this field and have used ltrim and rtrim, but still see the unwanted characters of < and >

| eval field=rtrim(populace,">") | eval field=ltrim(populace,"<")

I also tried this:

| eval populace=trim("<")

Then finally I tried:

| rex field=populace "<:(?.* >:)"

Any guidance/help would be greatly appreciated.

Thank you.

Re: Help with trimming characters

javiergn — Tue, 26 Jan 2016 23:57:26 GMT

Hi,

Sorry if I missed anything but your post is a bit confusing without the escaping characters. In future make sure you enclose all your queries and examples between code tags (the icon with 1s and 0s above)

Anyway, if you just want to capture numerical values you can use this instead:

yoursearch
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers

Let me know if that works for you. Otherwise please provide more info about your data.

Thanks,
J

Re: Help with trimming characters

wrangler2x — Wed, 27 Jan 2016 00:06:09 GMT

The easiest thing to do is to rex the field, matching on the less-than-sign, then doing a named capture group for anything not matching a more-than-sign, using a different field name. Here is an example where I created the fields you said, and then extracted what is in them:

| gentimes start=-1 | eval populace="
 populace=<15>
 populace=<12>
 populace=<4>
 populace=<0>"
| rex max_match=0 field=populace "\x3C(?<populacext>[^\x3E]+)" | table populacext populace

The only thing you are interested in here is the rex -- the rest is just window-dressing to create the basis for it in search. In your case you would not need the max_match=0

Re: Help with trimming characters

wrangler2x — Wed, 27 Jan 2016 00:07:24 GMT

Oh, and I don't know why splunk anwers place a 5. in front of the line populace=<0>" -- don't include that in your search when you try my test.

Re: Help with trimming characters

somesoni2 — Wed, 27 Jan 2016 03:31:54 GMT

There are multiple options, rex with sed OR replace to do that

| gentimes start=-1 | eval text=" <15>"
  | table text  | eval text1=text | rex mode=sed field=text1 "s/(\<|\>)//g" | eval text3=replace(replace(text,"<",""),">","")

Re: Help with trimming characters

javiergn — Wed, 27 Jan 2016 09:34:50 GMT

Hi,

The following gives me the output you are looking for:

| gentimes start=-1 
| eval populace="
    populace=<15>
    populace=<12>
    populace=<4>
    populace=<0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers

OUTPUT:

justNumbers
15
12
4
0

If you take the bottom two lines and append that to your search if should give you what you are looking for. Otherwise please provide more information.

The following works too:

| gentimes start=-1 
| eval populace="
    <15>
    <12>
    <4>
    <0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers

And the following:

| gentimes start=-1 
| eval populace="
    <15
    12
    4
    0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers

Re: Help with trimming characters

TheJagoff — Wed, 27 Jan 2016 11:35:43 GMT

Hey that works perfectly. Many thanks!

I apologize for not being able to show the issue better but I did encase the numbers in the <> but at first, the numbers were not showing, then I put a \ in front of the > and I was told that I had an xml phrase and couldn't post that. I also should have stated that there are thousands of lines where this is happening. Again, I thank you for your insight.

Re: Help with trimming characters

TheJagoff — Wed, 27 Jan 2016 11:37:04 GMT

Yes, that can work also. I will keep this for further use - I'm sure that I will be running across things like this and can use all ways possible.