Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove numbers from events at search time?

rajgowd1
Communicator
‎01-26-2017 06:07 PM

Hi,
i have endpoints which are extracted from the log message and some end points are with numbers at the end.
can we replace those last digits with *

here is the extracted field and values

uri = private/credentials/products/CCSID/1001111335764
uri=private/credentials/products/CCSID/1001111336914

can we display like below

uri = private/credentials/products/CCSID/*
uri=private/credentials/products/CCSID/*

Tags (1)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-26-2017 07:00 PM

Try this

... | rex mode=sed "s/\d|\}//g"

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-26-2017 09:14 PM

Why not try this? This does exactly what your looking for

0 Karma
Reply

nabeel652
Builder
‎01-26-2017 06:14 PM

Yes, If you are sure that there will always be a number at the end:

... your search | rex field=uri "(?<uri>.*\/)\d+$" | ...

or if you are not sure about the last part after "/":

... your search | rex field=uri "(?<uri>.*\/).*$" | ...
Reply

rajgowd1
Communicator
‎01-26-2017 08:08 PM

thank you.
few of the endpoints are having number at the end.so would need to remove number from few of the end points.

0 Karma
Reply

nabeel652
Builder
‎01-26-2017 08:29 PM

So if the url ends with digits you want to ignore them but if it ends with Alpha-numeric values you want to leave them as is? Also, is CCSID something that repeats in every url at the same place? If you could send few possible variations of url string it would be easier. Cheers

0 Karma
Reply

rajgowd1
Communicator
‎01-26-2017 08:52 PM

YES,if the endpoint ends with digit then i want to ignore digit or replace digit with *.

if there any alpha-numeric then i want to leave as is.

CCSID repeats in url at the same place.

0 Karma
Reply

nabeel652
Builder
‎01-26-2017 09:12 PM

Try

| rex field=uri "(?<uri>.*[^\d])"

will extract a uri that doesn't end with digits or ignore the digits if it ends with digits.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...