Hi,
Is there an eval command that will remove the last part of a string.
For example:
"Installed - 5%" will be come "Installed"
"Not Installed - 95%" will become "Not Installed"
Basically remove " - *%" from a string
Thanks
hi @baty0
try like this
|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
I have a use case where i need to pass the previously performed search query to replace the part of message with empty string.
environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="*Data = *"| eval message=replace(message," Data = ","")
The above message in turn obtained must be used to do another operation.
But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is.
I need to do this asap. can u pls provide a solution ?
@d942725 Please post a new question.
Hello,
You can use the eval replace() function to replace the " - ##%" values with regex as follows:
| makeresults
| eval foo = "Installed - 5%"
| eval bar = "Not Installed - 95%"
| eval foo_replaced=replace(foo,"\s\-\s\d+\%",""), bar_replaced=replace(bar,"\s\-\s\d+\%","")
Hey, you can extract using rex
command as well. with eval, you would have to use 2 steps and rex is 1 step solution:
Try this
| makeresults
| eval data="Installed - 5%,Not Installed - 95%"
| makemv data delim=","
| mvexpand data
| table data| rex field=data "(?<newfield>[^\-]+)\s"
let me know if this helps!
hi @baty0
try like this
|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari