Solved: Re: How to remove first 8 numbers of a field

adrianrepublic · ‎10-06-2020

I have a set of devices that are identified by a very long 15 number.

The first 8 numbers are just a prefix which we would like to hide and only display last 7 numbers

867723030939341 is an example

index=index1 sourcetype=devices | stats count by device....

Is there a ay to rem

ITWhisperer · ‎10-06-2020

| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)

adrianrepublic · ‎10-06-2020

Worked a treat!

inventsekar · ‎10-06-2020

| makeresults | eval device=867723030939341 
|rex field=device "\d{8}(?<deviceid>.*)"
| table device deviceid

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

ITWhisperer · ‎10-06-2020

| rex field=device mode=sed "s/^\d{8}//g"

or

| eval device=substr(device,9)

How to remove first 8 numbers of a field