Solved: Re: How can I remove colons in a field value

superhm · ‎03-06-2017

Hi there,

I wanna remove colons in a field value like a MAC Address.

I have a field MAC like mac="E8:11:32:31:33:BA", but I want to remove colons to get mac="E811323133BA"

How can I do it?

Thanks,

DalJeanis · ‎03-06-2017

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA

View solution in original post

DalJeanis · ‎03-06-2017

I'd use rex in mode=sed (see newmac3 code below). richgalloway's method (newmac1 code below) also works.

| makeresults 
| eval mac="E8:11:32:31:33:BA" 
| eval newmac1=mac, newmac2=mac, newmac3=mac
| eval newmac1=replace (newmac1,":","")
| replace "*:*" with "**" in newmac2
| rex field=newmac3 mode=sed "s/://g" 
| table mac, newmac1, newmac2, newmac3

...results in...

mac                newmac1       newmac2           newmac3           
E8:11:32:31:33:BA  E811323133BA  E811:32:31:33:BA  E811323133BA

jtrujillo · ‎10-03-2017

I downvoted this post because doesnt eloquently answer the question. not that it doesnt answer the question... just the only thing they needed was:

| eval newmac1=replace (mac,":","")

DalJeanis · ‎10-04-2017

@jtrujillo - Please reread my answer. Only line 6 in mine is needed, which is why my answer starts off with "I'd use rex in mode=sed (see newmac3 code below)."

I may occasionally use a few more words than other people, but when I do it's usually intended to teach. The rest is there to demonstrate that the rex mode=sed and the replace method (that you liked) both work, using run-anywhere code that anyone can run to verify for themselves, and also posting the output from the entire search.

Line 4 demonstrates that @richgalloway's method works correctly.
Line 5 demonstrates that @MOberschelp's method only removes the first colon.
Line 6 demonstrates that my way works correctly.

Please also read the comment on my answer by the original poster.

superhm · ‎03-06-2017

Wow, Thank you very much DalJeanis.
You have been a great help to me.
Thanks again.

richgalloway · ‎03-06-2017

Try eval mac=replace (mac,":","").

---
If this reply helps you, Karma would be appreciated.

superhm · ‎03-06-2017

Thank you richgalloway. it works that I want.

DalJeanis · ‎03-06-2017

Please make sure and upvote the helpful ones that work!

MOberschelp · ‎03-06-2017

I think the replace command should help.. try:

| replace "*:*" with "**" in [FIELDNAME]

superhm · ‎03-06-2017

Thank you for your comment.
It work for the first colon. : )

DalJeanis · ‎03-06-2017

This method would only work for the first colon. See the test results in my answer.

How can I remove colons in a field value

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk