Splunk Search

How to remove first 8 numbers of a field

adrianrepublic
Explorer

I have a set of devices that are identified by a very long 15 number.

 

The first 8 numbers are just a prefix which we would like to hide and only display last 7 numbers

 

867723030939341 is an example

 

index=index1 sourcetype=devices | stats count by device....

 

Is there a ay to rem

Labels (1)
Tags (1)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)

View solution in original post

adrianrepublic
Explorer

Worked a treat!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @adrianrepublic 

| makeresults | eval device=867723030939341 
|rex field=device "\d{8}(?<deviceid>.*)"
| table device deviceid

 

rex-digits.jpg

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...