Splunk Search

Can I remove a part of a string?

baty0
Explorer

Hi,

Is there an eval command that will remove the last part of a string.

For example:
"Installed - 5%" will be come "Installed"
"Not Installed - 95%" will become "Not Installed"
Basically remove " - *%" from a string

Thanks

Tags (1)
0 Karma
1 Solution

harishalipaka
Motivator

hi @baty0

try like this

|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval  hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
*********All the Best***********

View solution in original post

0 Karma

d942725
New Member

I have a use case where i need to pass the previously performed search query to replace the part of message with empty string.

environment="dev" domain="test" logger_name="com.test.practice.demo.sse.impl.EventEncrypter" message="*Data = *"| eval message=replace(message," Data = ","")

The above message in turn obtained must be used to do another operation.

But the replace function itself is not working when i did a splunk search query. I am able to see the log with "Data =" being not removed and came as it is.

I need to do this asap. can u pls provide a solution ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@d942725 Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

zonistj
Path Finder

Hello,

You can use the eval replace() function to replace the " - ##%" values with regex as follows:

| makeresults
| eval foo = "Installed - 5%" 
| eval bar = "Not Installed - 95%"
| eval foo_replaced=replace(foo,"\s\-\s\d+\%",""), bar_replaced=replace(bar,"\s\-\s\d+\%","")
0 Karma

mayurr98
Super Champion

Hey, you can extract using rex command as well. with eval, you would have to use 2 steps and rex is 1 step solution:
Try this

| makeresults 
| eval data="Installed - 5%,Not Installed - 95%" 
| makemv data delim="," 
| mvexpand data 
| table data| rex field=data "(?<newfield>[^\-]+)\s"

let me know if this helps!

0 Karma

harishalipaka
Motivator

hi @baty0

try like this

|makeresults |eval hari="Installed - 5%" |append [| makeresults |eval  hari="Not Installed - 95%" ] |table hari |eval results=split(hari," -") |eval hari=mvindex(results,0) |table hari
*********All the Best***********
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...