Solved: How to extract one field combining different subst...

bharathreddyp · ‎10-17-2014

I have a pattern in my raw field " ..... SPLIT: 11111:22222 ........." which says master id was split to id1:id2. But the master id i need is id1id2. Is there a way to do this. I used rex and managed to get id1:id2, but couldn't take off the colon. I see extracting to 2 fields and doing 'eval' with '+' is an option, but that looks messy

So far, I have |rex "SPLIT: (?\d+:\d+)" ) |
This gives me masterID=11111:22222. But I need masterID=1111122222

sjaworski · ‎10-17-2014

Another way to use SED would be to pipe to the rex command again.

| rex field=MasterID mode=sed "s/://g"

View solution in original post

sjaworski · ‎10-17-2014

Another way to use SED would be to pipe to the rex command again.

| rex field=MasterID mode=sed "s/://g"

martin_mueller · ‎10-17-2014

One option is to set up an SEDCMD setting in props.conf that removes the colon from your events during index time. That'll work very well and will be simple to work with at search time, but remember that it does alter what is written to your index and that this cannot be done retroactively.

A purely search-time option is to extract both sections of the id into two fields and to define a calculated field that appends the two together, or to extract the whole id into one field and to define a calculated field that removes the colon.

How to extract one field combining different substrings of another field

3 Ways to Make OpenTelemetry Even Better

What's New in Splunk Cloud Platform 9.2.2406?

Enterprise Security Content Update (ESCU) | New Releases