Solved: Re: Can you help me extract and replace a new fiel...

mustafag · ‎09-12-2018

I have one field named as "data1" and I need to create another field named as "data2". In this new field, I need to copy same value of "data1" field, if value starts with "0" , and if value is not starting with "0" , then i want to add the 0 in the beginning of the value.

Original field
data1=0975665
data1=976554

New field
data2=0975665
Data2=0976554

Please help me to achieve this.

kamlesh_vaghela · ‎09-12-2018

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

View solution in original post

kamlesh_vaghela · ‎09-12-2018

@mustafag

Can you please try below search?

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

My Sample Search:

| makeresults | eval data1="0975665" | append [| makeresults | eval data1="976554"] | eval data2=if(substr(data1,1,1)=="0",data1,"0".data1)

Thanks

mustafag · ‎09-12-2018

Hi Kamlesh,
Appreciate for the quick response. your advised query did work as expected but I also want to validate the length of the field in addition to above requirement. So if field length is 7 then no need to replace, only replace if the length is 6.

Thanks,

kamlesh_vaghela · ‎09-12-2018

@mustafag

Please use below search.

YOUR_SEARCH | eval data2=if(substr(data1,1,1)=="0",data1,if(len(data1)==7,data1, "0".data1))

Can you help me extract and replace a new field from present field?

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control