https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311370#M93324 <P>Hi @cusello, thank you for the comprehensive reply.</P> <P>I want to make the change at search time, so I used the second solution you provided but unfortunately, it didn't work with the output of the field now showing: </P> <P>0\d*</P> <P>Many thanks and kind regards</P> <P>Chris</P> Thu, 31 Aug 2017 11:57:42 GMT IRHM73 2017-08-31T11:57:42Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311368#M93322 <P>Hi,</P> <P>I wonder whether someone may be able to help me please.</P> <P>I have a telephone number field "telnofac" with the first two digits being 44.</P> <P>Could someone tell me please is there a way to replace these the 44 with a 0?</P> <P>Many thanks and kind regards</P> <P>Chris</P> Thu, 31 Aug 2017 11:25:56 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311368#M93322 IRHM73 2017-08-31T11:25:56Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311369#M93323 <P>Hi IRHM73,<BR /> two additional information:</P> <UL> <LI>do you want to replace numbers at index time or at search time?</LI> <LI>do you want replace 44 with 0 or with 044?</LI> </UL> <P>if at index time and you want to replace 44 with 0, you have to insert in your props.conf in your sourcetype stanza (if before number there's "telnofac=")</P> <PRE><CODE>SEDCMD-telnofac = s/telnofac\=44\d*/telnofac\=0\d*/g </CODE></PRE> <P>(check regex!)</P> <P>if you want to do this at search time and replace 44 with 0 use this command</P> <PRE><CODE>| rex field=telnofac mode=sed "s/44\d*/0\d*/g" </CODE></PRE> <P>or</P> <PRE><CODE>| eval telnofac = replace(telnofac , "44\d*","0\d*") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 31 Aug 2017 11:39:18 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311369#M93323 gcusello 2017-08-31T11:39:18Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311370#M93324 <P>Hi @cusello, thank you for the comprehensive reply.</P> <P>I want to make the change at search time, so I used the second solution you provided but unfortunately, it didn't work with the output of the field now showing: </P> <P>0\d*</P> <P>Many thanks and kind regards</P> <P>Chris</P> Thu, 31 Aug 2017 11:57:42 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311370#M93324 IRHM73 2017-08-31T11:57:42Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311371#M93325 <P>try with<BR /> | replace "44*" WITH "0*" IN telnofac <BR /> instead rex command<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 15:34:24 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311371#M93325 gcusello 2020-09-29T15:34:24Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311372#M93326 <P>Thank you @cusello</P> <P>Regards</P> Thu, 31 Aug 2017 12:15:11 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311372#M93326 IRHM73 2017-08-31T12:15:11Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311373#M93327 <P>Hi @cusello and all.</P> <P>I was able to make a working solution using: sed "s/44/0/g"</P> <P>Many thanks and kind regards</P> <P>Chris</P> Thu, 31 Aug 2017 12:22:58 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311373#M93327 IRHM73 2017-08-31T12:22:58Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311374#M93328 <P>Chris, you are aware that this will change all occurrences of 44 with 0, so if your telnofac is 4412345446789, it will result in 01234506789; probably not what you want.</P> <P>I would change it to <CODE>| rex field=telnofac mode=sed "s/^44/0/"</CODE> to only replace the first occurrence, anchored to the beginning of the field, just to be safe.</P> Thu, 31 Aug 2017 17:35:32 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311374#M93328 s2_splunk 2017-08-31T17:35:32Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311375#M93329 <P>Hi @ssievert, that's great I hadn't realise that.</P> <P>Thank you for taking the time to reply.</P> <P>May I ask what the ^ does.</P> <P>Many thanks and kind regards</P> <P>Chris</P> Fri, 01 Sep 2017 05:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311375#M93329 IRHM73 2017-09-01T05:44:47Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311376#M93330 <P>"^" anchors to the beginning of the string. See <A href="http://www.regular-expressions.info/anchors.html">here</A>.</P> Fri, 01 Sep 2017 21:21:07 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311376#M93330 s2_splunk 2017-09-01T21:21:07Z https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311377#M93331 <P>Many thanks @ssievert.</P> <P>Regards</P> <P>Chris</P> Mon, 04 Sep 2017 05:37:20 GMT https://community.splunk.com/t5/Splunk-Search/Replace-First-Two-Digits/m-p/311377#M93331 IRHM73 2017-09-04T05:37:20Z