Re: How to remove beginning of a fieldname(prefix)...

chenglta · ‎09-10-2020

Generally, I want to transform:
"sort_index"
"89080_10.9.2.0"
"89090_10.9.1.0"
"89150_10.8.5.0"
...

into:
"sort_index"
"10.9.2.0"
"10.9.1.0"
"10.8.5.0"

In all, I want to remove anything before character "_".

I have tried so many rex, wildcard expressions but nothing worked. Like:

| rex field=sort_index “\w{5}_(?<sort_index>\S+)” (remove 5 characters before _ )
| rename \d+_* as *
| rename \w{5}_* as *

Could anyone please help me to solve this problem?

How does this problem come from? Originally I created a timechart.

As illustrated, the version is lexicon-graphically sorted. I want it (field: version ) to be sorted in reverse order. But | sort -_time, -version simply did not work. So I created a new field named 'sort_index' and sort this new field. In order not to forget 'version', I combine new 'sort_index' with 'version' by adding '_' in the middle.

Now it is in the right order: 10.9.2.0 10.9.1.0 10.8.5.0 10.8.2.0 10.7.3.0 10.5.2.0
But I need to remove the prefix created previously.
These are the backgrounds why I want to do this work. If you have any better advice to achieve this target, please give me your suggestion.

Best,

Chenglong

thambisetty · ‎09-11-2020

did you look into below thread?

https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/34...

————————————
If this helps, give a like below.

ITWhisperer · ‎09-11-2020

| eval index=split(sort_index,"_")
| eval sort_index=mvindex(index,1)
| fields - index

How to remove beginning of a fieldname(prefix)?

administration

Analytics Workspace

configuration

metrics

troubleshooting

using Splunk Enterprise

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk