Splunk Search

How can I remove colons in a field value

superhm
Explorer

Hi there,

I wanna remove colons in a field value like a MAC Address.

I have a field MAC like mac="E8:11:32:31:33:BA", but I want to remove colons to get mac="E811323133BA"

How can I do it?

Thanks,

1 Solution

DalJeanis
SplunkTrust
SplunkTrust

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA  

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA  

View solution in original post

0 Karma

jtrujillo
Path Finder

I downvoted this post because doesnt eloquently answer the question. not that it doesnt answer the question... just the only thing they needed was:

| eval newmac1=replace (mac,":","")
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@jtrujillo - Please reread my answer. Only line 6 in mine is needed, which is why my answer starts off with "I'd use rex in mode=sed (see newmac3 code below)."

I may occasionally use a few more words than other people, but when I do it's usually intended to teach. The rest is there to demonstrate that the rex mode=sed and the replace method (that you liked) both work, using run-anywhere code that anyone can run to verify for themselves, and also posting the output from the entire search.

Line 4 demonstrates that @richgalloway's method works correctly.
Line 5 demonstrates that @MOberschelp's method only removes the first colon.
Line 6 demonstrates that my way works correctly.

Please also read the comment on my answer by the original poster.

0 Karma

superhm
Explorer

Wow, Thank you very much DalJeanis.
You have been a great help to me.
Thanks again.

richgalloway
SplunkTrust
SplunkTrust

Try eval mac=replace (mac,":","").

---
If this reply helps you, an upvote would be appreciated.

superhm
Explorer

Thank you richgalloway. it works that I want.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Please make sure and upvote the helpful ones that work!

0 Karma

MOberschelp
Explorer

I think the replace command should help.. try:

| replace "*:*" with "**" in [FIELDNAME]
0 Karma

superhm
Explorer

Thank you for your comment.
It work for the first colon. : )

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This method would only work for the first colon. See the test results in my answer.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.