Splunk Search

Extract a field from a search and remove trailing character

thenormalone
Path Finder

I have 2 splunk indexes from which I need to gather data from, so I have a simple splunk search (that queries for different timers) which retuns the different timer names used in our service but one of the indexes returns the same timer name with a trailing "_". 

Eg: timerName=ABC.transaction_

How can I remove the trailing "_" from the timerName from the results obtained so that when I perform the stats command, it doesn't show the trailing "_"? Also, how can I merge the results from the 2 indexes into one?

Any help is appreciated, thanks!

Labels (4)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @thenormalone,

You can use below sample; replace function will replace _ only if it is at the end.

( index=index1 OR index=index2 ) timerName=*
| eval timerName = replace(timer_Name,"_$","")
| stats count by timerName
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

thenormalone
Path Finder

Those work, thank you! :slightly_smiling_face: 

0 Karma

jotne
Builder

You can just search for both index at same time and then use SED to remove training _

 

index=index_1 OR index=index_2
| rex mode=sed field=timerName "s/_$//"

scelikok
SplunkTrust
SplunkTrust

Hi @thenormalone,

You can use below sample; replace function will replace _ only if it is at the end.

( index=index1 OR index=index2 ) timerName=*
| eval timerName = replace(timer_Name,"_$","")
| stats count by timerName
If this reply helps you an upvote and "Accept as Solution" is appreciated.

thenormalone
Path Finder

I found this to remove the trailing "_" but I still haven't figured out how to merge the two results from the different indexes into one

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...