Splunk Search

Can you help me extract and replace a new field from present field?

mustafag
Path Finder

I have one field named as "data1" and I need to create another field named as "data2". In this new field, I need to copy same value of "data1" field, if value starts with "0" , and if value is not starting with "0" , then i want to add the 0 in the beginning of the value.

Original field
data1=0975665
data1=976554

New field
data2=0975665
Data2=0976554

Please help me to achieve this.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

0 Karma

mustafag
Path Finder

Hi Kamlesh,
Appreciate for the quick response. your advised query did work as expected but I also want to validate the length of the field in addition to above requirement. So if field length is 7 then no need to replace, only replace if the length is 6.

Thanks,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Please use below search.

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,if(len(data1)==7,data1, "0".data1))
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...