Solved: Extract a field from a search and remove trailing ...

thenormalone · ‎02-23-2021

I have 2 splunk indexes from which I need to gather data from, so I have a simple splunk search (that queries for different timers) which retuns the different timer names used in our service but one of the indexes returns the same timer name with a trailing "_".

Eg: timerName=ABC.transaction_

How can I remove the trailing "_" from the timerName from the results obtained so that when I perform the stats command, it doesn't show the trailing "_"? Also, how can I merge the results from the 2 indexes into one?

Any help is appreciated, thanks!

scelikok · ‎02-23-2021

Hi @thenormalone,

You can use below sample; replace function will replace _ only if it is at the end.

( index=index1 OR index=index2 ) timerName=*
| eval timerName = replace(timer_Name,"_$","")
| stats count by timerName

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

thenormalone · ‎03-02-2021

Those work, thank you! 🙂

jotne · ‎02-24-2021

You can just search for both index at same time and then use SED to remove training _

index=index_1 OR index=index_2
| rex mode=sed field=timerName "s/_$//"

scelikok · ‎02-23-2021

Hi @thenormalone,

You can use below sample; replace function will replace _ only if it is at the end.

( index=index1 OR index=index2 ) timerName=*
| eval timerName = replace(timer_Name,"_$","")
| stats count by timerName

If this reply helps you an upvote and "Accept as Solution" is appreciated.

thenormalone · ‎02-23-2021

I found this to remove the trailing "_" but I still haven't figured out how to merge the two results from the different indexes into one

Extract a field from a search and remove trailing character

field extraction

fields

regex

stats

Buttercup Games Tutorial Extension - part 9

Buttercup Games Tutorial Extension - part 8

Introducing the Splunk Developer Program!

Are you a member of the Splunk Community?