Splunk Search

Eval ltrim forward slash oddity

alnapp
Engager

Hi, Sure I'm missing something obvious, but:

Raw data has field "SourceName" which is looks like this: api.internal.local/XXXXXXXXX

where XXXXXXX is an API's name

I'm using:
eval API=ltrim(SourceName, "api.internal.local/")

and am getting odd results

some SourceName are behaving as I expect e.g. "api.internal.local/ServerStat" gives me "ServerStat"

but "api.internal.local/inform" gives me "nform"

The only thing I've spotted is the correctly returning values start with an upper-case "S" all others are lowercase

If I miss the slash of the end of the ltrim then all fields are evaluated to "/XXXXXXXX" as you might expect

Any suggestions as to cause, and advise on grabbing what I want would be very gratefully received?

Tags (1)
0 Karma

ziegfried
Influencer

I think ltrim is not applicable for your use-case as ltrim(X,Y) will remove all characters in Y from the left handside of X. Using the replace function is probably the best way to go:

... | eval  API=replace(SourceName,"ˆapi\.internal\.local/","")

To clarify: ltrim removes any characters given in the second argument from the left handside of the first argument. So not the exact sequence of Y is removed from X, but any character from Y is removed from X until it reaches a character Y doesn't contain. So ltrim(somefield,"AB") is exactly the same as ltrim(somefield,"BA") and is the same as ltrim(somefield,"ABBA").

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...