- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with trimming characters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Having some issues here. I have the following values in a field named populace
The values are encased in a < and > (I tried to show it in the thread but it won't)
I need it to look like this:
15
12
4
0
...
I need to just get the numeric values out of this field and have used ltrim and rtrim, but still see the unwanted characters of < and >
| eval field=rtrim(populace,">") | eval field=ltrim(populace,"<")
I also tried this:
| eval populace=trim("<")
Then finally I tried:
| rex field=populace "<:(?.* >:)"
Any guidance/help would be greatly appreciated.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry if I missed anything but your post is a bit confusing without the escaping characters. In future make sure you enclose all your queries and examples between code tags (the icon with 1s and 0s above)
Anyway, if you just want to capture numerical values you can use this instead:
yoursearch
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers
Let me know if that works for you. Otherwise please provide more info about your data.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple options, rex with sed OR replace to do that
| gentimes start=-1 | eval text=" <15>"
| table text | eval text1=text | rex mode=sed field=text1 "s/(\<|\>)//g" | eval text3=replace(replace(text,"<",""),">","")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that can work also. I will keep this for further use - I'm sure that I will be running across things like this and can use all ways possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest thing to do is to rex the field, matching on the less-than-sign, then doing a named capture group for anything not matching a more-than-sign, using a different field name. Here is an example where I created the fields you said, and then extracted what is in them:
| gentimes start=-1 | eval populace="
populace=<15>
populace=<12>
populace=<4>
populace=<0>"
| rex max_match=0 field=populace "\x3C(?<populacext>[^\x3E]+)" | table populacext populace
The only thing you are interested in here is the rex -- the rest is just window-dressing to create the basis for it in search. In your case you would not need the max_match=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, and I don't know why splunk anwers place a 5. in front of the line populace=<0>" -- don't include that in your search when you try my test.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry if I missed anything but your post is a bit confusing without the escaping characters. In future make sure you enclose all your queries and examples between code tags (the icon with 1s and 0s above)
Anyway, if you just want to capture numerical values you can use this instead:
yoursearch
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers
Let me know if that works for you. Otherwise please provide more info about your data.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The following gives me the output you are looking for:
| gentimes start=-1
| eval populace="
populace=<15>
populace=<12>
populace=<4>
populace=<0>"
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers
OUTPUT:
justNumbers
15
12
4
0
If you take the bottom two lines and append that to your search if should give you what you are looking for. Otherwise please provide more information.
The following works too:
| gentimes start=-1
| eval populace="
<15>
<12>
<4>
<0>"
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers
And the following:
| gentimes start=-1
| eval populace="
<15
12
4
0>"
| rex field=populace max_match=0 "(?<justNumbers>\d+)"
| table justNumbers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey that works perfectly. Many thanks!
I apologize for not being able to show the issue better but I did encase the numbers in the <> but at first, the numbers were not showing, then I put a \ in front of the > and I was told that I had an xml phrase and couldn't post that. I also should have stated that there are thousands of lines where this is happening. Again, I thank you for your insight.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
