Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I remove a part of a string?

baty0
Explorer
‎09-10-2018 08:41 PM

Hi,

Is there an eval command that will remove the last part of a string.

For example:
"Installed - 5%" will be come "Installed"
"Not Installed - 95%" will become "Not Installed"
Basically remove " - *%" from a string

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-10-2018 10:59 PM

hi @baty0

try like this 

|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval  hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
Thanks
Harish

View solution in original post

0 Karma
Reply
Solved! Jump to solution

d942725
New Member
‎01-31-2020 03:57 AM

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string.

environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="*Data = *"| eval message=replace(message," Data = ","")

The above message in turn obtained must be used to do another operation.

But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is.

I need to do this asap. can u pls provide a solution ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2020 05:30 AM

@d942725 Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

zonistj
Path Finder
‎09-11-2018 11:00 AM

Hello,

You can use the eval replace() function to replace the " - ##%" values with regex as follows:

| makeresults
| eval foo = "Installed - 5%" 
| eval bar = "Not Installed - 95%"
| eval foo_replaced=replace(foo,"\s\-\s\d+\%",""), bar_replaced=replace(bar,"\s\-\s\d+\%","")
0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎09-11-2018 02:31 AM

Hey, you can extract using rex command as well. with eval, you would have to use 2 steps and rex is 1 step solution:
Try this

| makeresults 
| eval data="Installed - 5%,Not Installed - 95%" 
| makemv data delim="," 
| mvexpand data 
| table data| rex field=data "(?<newfield>[^\-]+)\s"

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎09-10-2018 10:59 PM

hi @baty0

try like this 

|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval  hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
Thanks
Harish
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...