Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- What is the least expensive way of removing multip...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My objective is to clean three distinct substrings from a comma delimited string. Those substrings may all be present in the string, may not all be present in the string, or may not be present at all in the string. Their positions within the string can vary as well. Assuming values substring1, substring2, and substring3, here are some examples:
this,is,substring1,a,sentence,with,one
substring2,this,has,substring1,all,three,substring3
here,there,are,no,substrings
this,only,substring3,substring1,has,two
Ideally I would like to encorporate the logic within a data model, which limits me to eval or rex ( replace isn't possible). So far I can do it with rex mode=sed but I can't add it to a data model. Here is a run anywhere with my sed solution:
| makeresults | eval string="this,is,substring1,a,sentence,with,one"
| append [ | makeresults | eval string="substring2,this,has,substring1,all,three,substring3" ]
| append [ | makeresults | eval string="here,there,are,no,substrings" ]
| append [ | makeresults | eval string="this,only,substring3,substring1,has,two" ]
| table string
| rex mode=sed field=string "s/$/,/g"
| rex mode=sed field=string "s/substring1,//g"
| rex mode=sed field=string "s/substring2,//g"
| rex mode=sed field=string "s/substring3,//g"
| rex mode=sed field=string "s/.$//g"
The first and last sed commands are to add a comma to the end of the string to manage the case where a substring is positioned at the end, and to remove it again to clean up afterwards.
Are there any better solutions?
Thanks in advance, and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i figured it out! I realized that replace can also be used as part of an eval. Here is the run anywhere solution:
| makeresults | eval string="this,is,substring1,a,sentence,with,one"
| append [ | makeresults | eval string="substring2,this,has,substring1,all,three,substring3" ]
| append [ | makeresults | eval string="here,there,are,no,substrings" ]
| append [ | makeresults | eval string="this,only,substring3,substring1,has,two" ]
| table string
| eval result = replace(string,"([\s,](substring1|substring2|substring3))|((substring1|substring2|substring3)[\s,])","")
Not sure whether there is a better way of doing it, so any suggestions are welcome!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK i figured it out! I realized that replace can also be used as part of an eval. Here is the run anywhere solution:
| makeresults | eval string="this,is,substring1,a,sentence,with,one"
| append [ | makeresults | eval string="substring2,this,has,substring1,all,three,substring3" ]
| append [ | makeresults | eval string="here,there,are,no,substrings" ]
| append [ | makeresults | eval string="this,only,substring3,substring1,has,two" ]
| table string
| eval result = replace(string,"([\s,](substring1|substring2|substring3))|((substring1|substring2|substring3)[\s,])","")
Not sure whether there is a better way of doing it, so any suggestions are welcome!
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
