Splunk Search

Help with trimming characters

TheJagoff
Communicator

Hi,

Having some issues here. I have the following values in a field named populace
The values are encased in a < and > (I tried to show it in the thread but it won't)

I need it to look like this:
15
12
4
0
...

I need to just get the numeric values out of this field and have used ltrim and rtrim, but still see the unwanted characters of < and >

| eval field=rtrim(populace,">") | eval field=ltrim(populace,"<")

I also tried this:

| eval populace=trim("<")

Then finally I tried:

| rex field=populace "<:(?.* >:)"

Any guidance/help would be greatly appreciated.

Thank you.

0 Karma
1 Solution

javiergn
Super Champion

Hi,

Sorry if I missed anything but your post is a bit confusing without the escaping characters. In future make sure you enclose all your queries and examples between code tags (the icon with 1s and 0s above)

Anyway, if you just want to capture numerical values you can use this instead:

yoursearch
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers

Let me know if that works for you. Otherwise please provide more info about your data.

Thanks,
J

View solution in original post

somesoni2
Revered Legend

There are multiple options, rex with sed OR replace to do that

| gentimes start=-1 | eval text=" <15>"
  | table text  | eval text1=text | rex mode=sed field=text1 "s/(\<|\>)//g" | eval text3=replace(replace(text,"<",""),">","")
0 Karma

TheJagoff
Communicator

Yes, that can work also. I will keep this for further use - I'm sure that I will be running across things like this and can use all ways possible.

0 Karma

wrangler2x
Motivator

The easiest thing to do is to rex the field, matching on the less-than-sign, then doing a named capture group for anything not matching a more-than-sign, using a different field name. Here is an example where I created the fields you said, and then extracted what is in them:

| gentimes start=-1 | eval populace="
 populace=<15>
 populace=<12>
 populace=<4>
 populace=<0>"
| rex max_match=0 field=populace "\x3C(?<populacext>[^\x3E]+)" | table populacext populace

The only thing you are interested in here is the rex -- the rest is just window-dressing to create the basis for it in search. In your case you would not need the max_match=0

0 Karma

wrangler2x
Motivator

Oh, and I don't know why splunk anwers place a 5. in front of the line populace=<0>" -- don't include that in your search when you try my test.

0 Karma

javiergn
Super Champion

Hi,

Sorry if I missed anything but your post is a bit confusing without the escaping characters. In future make sure you enclose all your queries and examples between code tags (the icon with 1s and 0s above)

Anyway, if you just want to capture numerical values you can use this instead:

yoursearch
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers

Let me know if that works for you. Otherwise please provide more info about your data.

Thanks,
J

javiergn
Super Champion

Hi,

The following gives me the output you are looking for:

| gentimes start=-1 
| eval populace="
    populace=<15>
    populace=<12>
    populace=<4>
    populace=<0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers

OUTPUT:

justNumbers
15
12
4
0 

If you take the bottom two lines and append that to your search if should give you what you are looking for. Otherwise please provide more information.

The following works too:

| gentimes start=-1 
| eval populace="
    <15>
    <12>
    <4>
    <0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers

And the following:

| gentimes start=-1 
| eval populace="
    <15
    12
    4
    0>"
 | rex field=populace max_match=0 "(?<justNumbers>\d+)"
 | table justNumbers
0 Karma

TheJagoff
Communicator

Hey that works perfectly. Many thanks!

I apologize for not being able to show the issue better but I did encase the numbers in the <> but at first, the numbers were not showing, then I put a \ in front of the > and I was told that I had an xml phrase and couldn't post that. I also should have stated that there are thousands of lines where this is happening. Again, I thank you for your insight.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...