https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336906#M99957 <P>Wow, Thank you very much DalJeanis. <BR /> You have been a great help to me.<BR /> Thanks again.</P> Mon, 06 Mar 2017 23:23:22 GMT superhm 2017-03-06T23:23:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336900#M99951 <P>Hi there, </P> <P>I wanna remove colons in a field value like a MAC Address.</P> <P>I have a field MAC like mac="E8:11:32:31:33:BA", but I want to remove colons to get mac="E811323133BA"</P> <P>How can I do it?</P> <P>Thanks,</P> Mon, 06 Mar 2017 09:08:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336900#M99951 superhm 2017-03-06T09:08:07Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336901#M99952 <P>I think the replace command should help.. try:</P> <PRE><CODE>| replace "*:*" with "**" in [FIELDNAME] </CODE></PRE> Mon, 06 Mar 2017 13:44:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336901#M99952 MOberschelp 2017-03-06T13:44:52Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336902#M99953 <P>Try <CODE>eval mac=replace (mac,":","")</CODE>.</P> Mon, 06 Mar 2017 13:55:38 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336902#M99953 richgalloway 2017-03-06T13:55:38Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336903#M99954 <P>This method would only work for the first colon. See the test results in my answer.</P> Mon, 06 Mar 2017 15:23:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336903#M99954 DalJeanis 2017-03-06T15:23:58Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336904#M99955 <P>I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.</P> <PRE><CODE>| makeresults | eval mac="E8:11:32:31:33:BA" | eval newmac1=mac, newmac2=mac, newmac3=mac | eval newmac1=replace (newmac1,":","") | replace "*:*" with "**" in newmac2 | rex field=newmac3 mode=sed "s/://g" | table mac, newmac1, newmac2, newmac3 </CODE></PRE> <P>...results in...</P> <PRE><CODE>mac newmac1 newmac2 newmac3 E8:11:32:31:33:BA E811323133BA E811:32:31:33:BA E811323133BA </CODE></PRE> Mon, 06 Mar 2017 15:30:36 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336904#M99955 DalJeanis 2017-03-06T15:30:36Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336905#M99956 <P>Thank you richgalloway. it works that I want.</P> Mon, 06 Mar 2017 23:16:09 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336905#M99956 superhm 2017-03-06T23:16:09Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336906#M99957 <P>Wow, Thank you very much DalJeanis. <BR /> You have been a great help to me.<BR /> Thanks again.</P> Mon, 06 Mar 2017 23:23:22 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336906#M99957 superhm 2017-03-06T23:23:22Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336907#M99958 <P>Thank you for your comment.<BR /> It work for the first colon. : )</P> Mon, 06 Mar 2017 23:28:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336907#M99958 superhm 2017-03-06T23:28:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336908#M99959 <P>Please make sure and upvote the helpful ones that work!</P> Tue, 07 Mar 2017 00:50:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336908#M99959 DalJeanis 2017-03-07T00:50:58Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336909#M99960 <P>I downvoted this post because doesnt eloquently answer the question. not that it doesnt answer the question... just the only thing they needed was:</P> <PRE><CODE>| eval newmac1=replace (mac,":","") </CODE></PRE> Tue, 03 Oct 2017 21:26:30 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336909#M99960 jtrujillo 2017-10-03T21:26:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336910#M99961 <P>@jtrujillo - Please reread my answer. Only line 6 in mine is <STRONG>needed</STRONG>, which is why my answer starts off with "I'd use rex in mode=sed (see newmac3 code below)." </P> <P>I may occasionally use a few more words than other people, but when I do it's usually intended to teach. The rest is there to demonstrate that the <CODE>rex mode=sed</CODE> and the <CODE>replace</CODE> method (that you liked) both work, using run-anywhere code that anyone can run to verify for themselves, and also posting the output from the entire search. </P> <P>Line 4 demonstrates that @richgalloway's method works correctly.<BR /> Line 5 demonstrates that @MOberschelp's method only removes the first colon.<BR /> Line 6 demonstrates that my way works correctly.</P> <P>Please also read the comment on my answer by the original poster. </P> Wed, 04 Oct 2017 12:16:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-remove-colons-in-a-field-value/m-p/336910#M99961 DalJeanis 2017-10-04T12:16:51Z