Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Eval ltrim forward slash oddity

alnapp
Engager
‎08-13-2012 09:19 AM

Hi, Sure I'm missing something obvious, but:

Raw data has field "SourceName" which is looks like this: api.internal.local/XXXXXXXXX

where XXXXXXX is an API's name

I'm using:
eval API=ltrim(SourceName, "api.internal.local/")

and am getting odd results

some SourceName are behaving as I expect e.g. "api.internal.local/ServerStat" gives me "ServerStat"

but "api.internal.local/inform" gives me "nform"

The only thing I've spotted is the correctly returning values start with an upper-case "S" all others are lowercase

If I miss the slash of the end of the ltrim then all fields are evaluated to "/XXXXXXXX" as you might expect

Any suggestions as to cause, and advise on grabbing what I want would be very gratefully received?

Tags (1)
0 Karma
Reply

ziegfried
Influencer
‎08-13-2012 09:52 AM

I think ltrim is not applicable for your use-case as ltrim(X,Y) will remove all characters in Y from the left handside of X. Using the replace function is probably the best way to go:

... | eval  API=replace(SourceName,"ˆapi\.internal\.local/","")

To clarify: ltrim removes any characters given in the second argument from the left handside of the first argument. So not the exact sequence of Y is removed from X, but any character from Y is removed from X until it reaches a character Y doesn't contain. So ltrim(somefield,"AB") is exactly the same as ltrim(somefield,"BA") and is the same as ltrim(somefield,"ABBA").

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...