Dashboards & Visualizations

How to remove trailing end of a field when field and trailing end are different and include a dash before the number

New Member

Trying to not sound confusing, so here are some examples of PORTs extracted from our logs:


Convert these by remove the trailing -# as the lower IDs represent circuits, but removing the end -# identifys the TRUNK:


The second thing I'd like to try is to remove all the ALPHA characters and the first "-" to only leave:
1-23-4 <-- This is my future goal as we are currently trying to build a dashboard that uses a lookup csv file to identify the circuit ID's, which is designed as NODE/PORT/CircuitID and my search already can find some of these but the lookup table is extracted from the nodes themselves and the PORT names are sometimes different.
Instead of re-building the lookup table, I'd like to have a way to reduce the PORT down to just numbers and dashes on both the SEARCH and LOOKUP side, which are two different things in my search, but they must match to identify the CircuitID.

0 Karma


Assuming that the fields you need are:

raw: EthernetService-1-23-4-5
trunk: EthernetService-1-23-4
name: EthernetService
node: 1-23
circuit_id: 5
Use this

(your search)|rex field="ciena.portid" "(?<trunk>(?<name>[^\-]+)\-(?<node>(?:[^\-]+\-){2}))(?<circuit_id>\d+)"

You can rename the named capture groups (e.g. trunk, node, name, etc) as you need

Hope I was able to help you. If so, some karma would be appreciated.
0 Karma


This will strip the last minus and number:

(your search)
| rex "(?<stripLast>.*?-\d+-\d+-\d+).*"

And this will get you the inside stuff:

(your search)
| rex ".*?-(?<inside>.*?-\d+-\d+).*"
0 Karma

New Member

Sorry, still a noob here... I don't search for this Column, it is simply a rename command on a pre-defined field. The rename is used to make the extracted field same as the node's native alarm monitoring tool. The idea here is to mimic. So, how would this rex command follow a simple statement as such:

| rename ciena.portid AS Port.ID
| table _time Port.ID Alarm ...etc...

0 Karma


assuming that Port.Id is the field that contains your text , like LoPPG-1-23-45-6
you need to just replace either mine or @jpolvino's rex with something like this | rex field=Port.ID "(?<stripLast>.*?-\d+-\d+-\d+).*" and | rex ".*?-(?<inside>.*?-\d+-\d+).*"
or you do something like this - | rex field=Port.ID "(?\w+\-+\d+\-+\d+\-\d)"
| rex field=extract1 "\w+\-(?.*)"

0 Karma

| makeresults 
|  eval x="EthernetService-1-23-4-5"
| rex field=x "(?<extract1>\w+\-+\d+\-+\d+\-\d)"
| rex field=extract1 "\w+\-(?<extract2>.*)"

Remove makeresults and repalce x by your field name or _raw as applicable

0 Karma

New Member

I see what you are doing here, but the Column has all of the supplied examples. I'm assuming I'll have to create a eval field for each of the outputs which I really don't want to do.
I'll play around with this answer of course as everything here is somehow useful today or in the future. Thanks sir!

0 Karma


hmm not sure why you have to create an eval field for each of your outputs, can you please clarify?
and please don't call me 'sir' as I have not yet been knighted by the queen of England 🙂 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...