Splunk Search

Can you help me extract and replace a new field from present field?

mustafag
Path Finder

I have one field named as "data1" and I need to create another field named as "data2". In this new field, I need to copy same value of "data1" field, if value starts with "0" , and if value is not starting with "0" , then i want to add the 0 in the beginning of the value.

Original field
data1=0975665
data1=976554

New field
data2=0975665
Data2=0976554

Please help me to achieve this.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

0 Karma

mustafag
Path Finder

Hi Kamlesh,
Appreciate for the quick response. your advised query did work as expected but I also want to validate the length of the field in addition to above requirement. So if field length is 7 then no need to replace, only replace if the length is 6.

Thanks,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mustafag

Please use below search.

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,if(len(data1)==7,data1, "0".data1))
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...