Splunk Search

How to remove first 8 numbers of a field

adrianrepublic
Explorer

I have a set of devices that are identified by a very long 15 number.

 

The first 8 numbers are just a prefix which we would like to hide and only display last 7 numbers

 

867723030939341 is an example

 

index=index1 sourcetype=devices | stats count by device....

 

Is there a ay to rem

Labels (1)
Tags (1)
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)

View solution in original post

adrianrepublic
Explorer

Worked a treat!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @adrianrepublic 

| makeresults | eval device=867723030939341 
|rex field=device "\d{8}(?<deviceid>.*)"
| table device deviceid

 

rex-digits.jpg

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...