Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract one field combining different substrings of another field

bharathreddyp
Engager
‎10-17-2014 03:53 PM

I have a pattern in my raw field " ..... SPLIT: 11111:22222 ........." which says master id was split to id1:id2. But the master id i need is id1id2. Is there a way to do this. I used rex and managed to get id1:id2, but couldn't take off the colon. I see extracting to 2 fields and doing 'eval' with '+' is an option, but that looks messy

So far, I have |rex "SPLIT: (?\d+:\d+)" ) |
This gives me masterID=11111:22222. But I need masterID=1111122222

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sjaworski
Communicator
‎10-17-2014 07:09 PM

Another way to use SED would be to pipe to the rex command again.

| rex field=MasterID mode=sed "s/://g"

View solution in original post

Reply
Solved! Jump to solution
Solution

sjaworski
Communicator
‎10-17-2014 07:09 PM

Another way to use SED would be to pipe to the rex command again.

| rex field=MasterID mode=sed "s/://g"

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-17-2014 04:50 PM

One option is to set up an SEDCMD setting in props.conf that removes the colon from your events during index time. That'll work very well and will be simple to work with at search time, but remember that it does alter what is written to your index and that this cannot be done retroactively.

A purely search-time option is to extract both sections of the id into two fields and to define a calculated field that appends the two together, or to extract the whole id into one field and to define a calculated field that removes the colon.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top