Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replace dynamic field values?

kallisrayar1986
Path Finder
‎01-29-2015 11:12 AM

I have a field (Details) with the below values which is an output of stats command:

Details:

values(XXX)
values(YYY)

i want to replace the above with XXX and YYY, basically i want to trim values( and ).

If i try "replace values(XXX) with XXX in Details" it works fine but the XXX and YYY will be keep changing based on my search and it is going to be dynamic.

Please help.

Reply
1 Solution
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎02-02-2015 06:25 PM

If I understood the question correctly, you can use eval trim to remove the static characters.
so that would be

your query here | eval Details=trim(Details,"values(") | eval Details=trim(Details,")")

View solution in original post

Reply
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎02-02-2015 06:25 PM

If I understood the question correctly, you can use eval trim to remove the static characters.
so that would be

your query here | eval Details=trim(Details,"values(") | eval Details=trim(Details,")")
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-03-2015 05:50 PM 
... | rex field=Details mode=sed "s/^values\(//" | rex field=Details mode=sed "s/\)$//"

Lets see if rex does it this time. I tried it locally with single strings and it seems to work ok.

Reply
Solved! Jump to solution

kallisrayar1986
Path Finder
‎02-04-2015 11:59 AM

hi, it worked fine this time.. thank you..!! 🙂

0 Karma
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-04-2015 05:32 PM

No worries. But you have to note that it isnt the perfect solution either since it will replace any field value which has a ")" at the end even if it doesnt start with "values(".

Unfortunately my regex skills are lacking so you might want to check if there is a better regex option.

0 Karma
Reply
Solved! Jump to solution

kallisrayar1986
Path Finder
‎02-03-2015 05:16 PM

It is a tranpose results set, the column name is Details: the values are as follows -

Details

test_id
iter
appver
Scenario
Version
requests_count_total
values(aaa)
values(bbb)
values(ccc)
values(ddd)
values(eee)
values(fff)

0 Karma
Reply
Solved! Jump to solution

kallisrayar1986
Path Finder
‎02-03-2015 10:51 AM

Thank you, but the above query trims every field even if it does not contain values(), any other suggestion?

0 Karma
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎02-03-2015 03:27 PM

Can you provide a sizable sample of what your data column looks like?
The trim command should ideally work only if a match is present so I am not sure what dataset its processing which is causing this issue.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...