How to achieve conditional formatting of values wi...

erikschubert · ‎02-03-2023

Hello everyone,

I have the following field and example value: sourcePort=514.000

I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, this should only apply to a certain group of events (group one).
Basically:
before: sourcePort=514.000
after: sourcePort=514

What I have until now:
search...
| eval sourcePort=if(group=one, regex part, sourcePort)

The regex to match only the digits is ^\d{1,5}
However, I am unsure how to work with the regex and if it is even possible to achieve my goal using this.

Thanks in advance

tpickle · ‎11-21-2023

I would use split and mvindex instead of rex:

| eval sourcePort=if(group=one,mvindex(split(sourcePort,"."),0),sourcePort)

diogofgm · ‎02-03-2023

You can use | rex to achieve that:

|rex field=sourcePort "(?<src_port>\d{1,5})"
|eval sourcePort=if(group=one,src_port,sourcePort)

------------
Hope I was able to help you. If so, some karma would be appreciated.

ITWhisperer · ‎02-03-2023

You can use the replace function (which supports regex)

| eval sourcePort=if(group=one,replace(sourcePort,"(?<p>\d{1,5})\.(?<q>.*)","\1"),sourcePort)

How to achieve conditional formatting of values with eval if and regex?

eval

fields

regex

rex

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?