Re: Eval ltrim forward slash oddity

alnapp · ‎08-13-2012

Hi, Sure I'm missing something obvious, but:

Raw data has field "SourceName" which is looks like this: api.internal.local/XXXXXXXXX

where XXXXXXX is an API's name

I'm using:
eval API=ltrim(SourceName, "api.internal.local/")

and am getting odd results

some SourceName are behaving as I expect e.g. "api.internal.local/ServerStat" gives me "ServerStat"

but "api.internal.local/inform" gives me "nform"

The only thing I've spotted is the correctly returning values start with an upper-case "S" all others are lowercase

If I miss the slash of the end of the ltrim then all fields are evaluated to "/XXXXXXXX" as you might expect

Any suggestions as to cause, and advise on grabbing what I want would be very gratefully received?

ziegfried · ‎08-13-2012

I think ltrim is not applicable for your use-case as ltrim(X,Y) will remove all characters in Y from the left handside of X. Using the replace function is probably the best way to go:

... | eval  API=replace(SourceName,"ˆapi\.internal\.local/","")

To clarify: ltrim removes any characters given in the second argument from the left handside of the first argument. So not the exact sequence of Y is removed from X, but any character from Y is removed from X until it reaches a character Y doesn't contain. So ltrim(somefield,"AB") is exactly the same as ltrim(somefield,"BA") and is the same as ltrim(somefield,"ABBA").

Eval ltrim forward slash oddity

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation