Hoew to remove paticular string from the value in ...

Veeru · ‎07-28-2022

I have the Field with id

i want to only 3 digits id For example:
if i take t0123-123 here i want remove t0
t456-456 here i want remove t
t1023-023 here i want to remove t1
The excepted output as shown below:

ID	expected ID
a	a
t0123	123
t456	456
t1023	023

diogofgm · ‎07-28-2022

An option other than the one suggested by rrovers is to use the rex command:

| makeresults 
| eval id="a,t1023,t456,t0123"
| makemv delim="," id
| mvexpand id
| fields - _time
| rex field=id "(?<expected_id>\w{1,3}$)"

This option adds a bit more flexibility given that you can do some validation on the content by changing the regex (e.g. you want only the id's digits just swap \w with \d in the rex command)

------------
Hope I was able to help you. If so, some karma would be appreciated.

rrovers · ‎07-28-2022

| makeresults 
| eval ID="t1023" 
| eval IDlen=len(ID) 
| eval IDlen2=IDlen-2 
| eval IDtest=substr(ID,IDlen2) 
| table IDtest

Hoew to remove paticular string from the value in a filed?

eval

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!