My goal is to remove part of my value to create a new value.
For example, I have a field called
created_time = 1517789420.357994. Does anyone know a way of getting
newCreatedTime = 1517789420?
I basically just want the .* to go away!
Any help would be appreciated.
@micahkemp 's answer is great, you could also try
|eval newCreatedTime =mvindex(split(created_time,"."),0) I only mention this in case you ever need to split a field that isn't numeric. http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/MultivalueEvalFunctions